Update Cyber-crooks have latched on to online scams that exploit direct-to-bill payment options.
Security biz Malwarebytes warns that crooks are tricking users into visiting mobile sites containing code that charges users via their mobile number. Victims are corralled through a complex series of pop-up adverts to a fly-by-night web address with a hidden payment button that charges a fee.
Marks only discover they've been fleeced after receiving a text saying "you’ve paid £5 for one entry for visiting our website" or similar.
Direct-to-bill online services have been around for some years, offering consumers a means to pay for services using their mobile phones without relying on a credit or debit card. The facility has numerous legitimate uses (charity donations, for example) but in cases highlighted by Malwarebytes, fraudsters have abused the system to suit their own nefarious purposes.
Christopher Boyd, a malware intelligence analyst at Malwarebytes, said that the scam illustrates the hidden danger from pop-ups, adverts and mobile redirects.
"In some cases, victims may be convinced they’ve not even interacted with the page in terms of clicking on buttons, filling in forms or signing up to something before receiving a text message stating they've been charged," Boyd said.
Sites related to rogue charges place paid advertising on ad networks. These links go through a series of redirects before eventually landing at “one-time use” URLs – i.e. if you went back and visited one again, nothing would happen: you’d simply see a blank page. This makes it difficult to determine the precise mechanism of the scam, though Boyd and his colleagues suspect hidden payment buttons.
Frauds along this line have been a constant source of complaints on forums and other sites for a number of years, according to Boyd, in one of the first objective assessments of the impact of the apparently wide-ranging scam.
"Some of the thread posters will state that they did indeed click on things or download something, but the majority are firm in their belief that they didn’t interact with pages in any way, shape or form," he said. "Many of them mention having seen rogue pop-up ads before being billed (sometimes with content on them, sometimes not) and they’re also understandably a touch worried. There are multiple complaints regarding repeat billing over time."
Getting charges refunded can be difficult, according to Boyd, who advised users to take advantage of mobile ad-blocker software.
Three and O2 told Mobile Today that they work hard to minimise abuse of services such as Payforit, an operator-run direct-to-bill payment service.
The service is regulated by PhonepayPlus, the UK's premium rate phone-paid services regulator. PhonepayPlus is yet to respond to El Reg's request to comment on Malwarebytes' research, or on the extent of direct-to-bill payment fraud.
Boyd is unsure about the extent of the fraud in this area beyond saying that the large number of complaints he uncovered suggests that it's a growing problem.
"I've only come across these via the multitude of complaints about contested payments," he said. "As for numbers, they seem to be constant background noise, with a definite shift towards dubious rotating adverts in the last few months."
In a statement, PhonepayPlus said that consumers ought to be informed up-front about any charges before they are incurred. It promised to act on complaints about violations of this aspect of its Code of Practice.
“PhonepayPlus works closely with the police, industry providers and other regulators for the benefit of consumers and reputable premium rate service providers.
“PhonepayPlus recently issued a compliance update to the PRS industry on the information companies should give before consumers enter a contract or obligation to pay. This compliance update supports longstanding guidance on how all types of promotions should comply with the rules in our Code of Practice. The Code itself contains clear rules that state consumers must clearly receive the price and other key information before they initiate a purchase, and that the consumer consent to any purchase must be secure, and verifiable after the event.
“If PhonepayPlus finds evidence of breaches of its Code of Practice we will look into the matter and take action." ®