You'll LITERALLY PAY for getting tricked into visiting these scam sites

Invisible self-pushing zombie payment buttons alarm mobe security experts

Update Cyber-crooks have latched on to online scams that exploit direct-to-bill payment options.

Security biz Malwarebytes warns that crooks are tricking users into visiting mobile sites containing code that charges users via their mobile number. Victims are corralled through a complex series of pop-up adverts to a fly-by-night web address with a hidden payment button that charges a fee.

Marks only discover they've been fleeced after receiving a text saying "you’ve paid £5 for one entry for visiting our website" or similar.

Direct-to-bill online services have been around for some years, offering consumers a means to pay for services using their mobile phones without relying on a credit or debit card. The facility has numerous legitimate uses (charity donations, for example) but in cases highlighted by Malwarebytes, fraudsters have abused the system to suit their own nefarious purposes.

Christopher Boyd, a malware intelligence analyst at Malwarebytes, said that the scam illustrates the hidden danger from pop-ups, adverts and mobile redirects.

"In some cases, victims may be convinced they’ve not even interacted with the page in terms of clicking on buttons, filling in forms or signing up to something before receiving a text message stating they've been charged," Boyd said.

Sites related to rogue charges place paid advertising on ad networks. These links go through a series of redirects before eventually landing at “one-time use” URLs – i.e. if you went back and visited one again, nothing would happen: you’d simply see a blank page. This makes it difficult to determine the precise mechanism of the scam, though Boyd and his colleagues suspect hidden payment buttons.

Frauds along this line have been a constant source of complaints on forums and other sites for a number of years, according to Boyd, in one of the first objective assessments of the impact of the apparently wide-ranging scam.

"Some of the thread posters will state that they did indeed click on things or download something, but the majority are firm in their belief that they didn’t interact with pages in any way, shape or form," he said. "Many of them mention having seen rogue pop-up ads before being billed (sometimes with content on them, sometimes not) and they’re also understandably a touch worried. There are multiple complaints regarding repeat billing over time."

Getting charges refunded can be difficult, according to Boyd, who advised users to take advantage of mobile ad-blocker software.

Three and O2 told Mobile Today that they work hard to minimise abuse of services such as Payforit, an operator-run direct-to-bill payment service.

The service is regulated by PhonepayPlus, the UK's premium rate phone-paid services regulator. PhonepayPlus is yet to respond to El Reg's request to comment on Malwarebytes' research, or on the extent of direct-to-bill payment fraud.

Boyd is unsure about the extent of the fraud in this area beyond saying that the large number of complaints he uncovered suggests that it's a growing problem.

"I've only come across these via the multitude of complaints about contested payments," he said. "As for numbers, they seem to be constant background noise, with a definite shift towards dubious rotating adverts in the last few months."


In a statement, PhonepayPlus said that consumers ought to be informed up-front about any charges before they are incurred. It promised to act on complaints about violations of this aspect of its Code of Practice.

“PhonepayPlus works closely with the police, industry providers and other regulators for the benefit of consumers and reputable premium rate service providers.

“PhonepayPlus recently issued a compliance update to the PRS industry on the information companies should give before consumers enter a contract or obligation to pay. This compliance update supports longstanding guidance on how all types of promotions should comply with the rules in our Code of Practice. The Code itself contains clear rules that state consumers must clearly receive the price and other key information before they initiate a purchase, and that the consumer consent to any purchase must be secure, and verifiable after the event.

“If PhonepayPlus finds evidence of breaches of its Code of Practice we will look into the matter and take action." ®

Similar topics

Broader topics

Narrower topics

Other stories you might like

  • EU-US Trade and Technology Council meets to coordinate on supply chains
    Agenda includes warning system for disruptions, and avoiding 'subsidy race' for chip investments

    The EU-US Trade and Technology Council (TTC) is meeting in Paris today to discuss coordinated approaches to global supply chain issues.

    This is only the second meeting of the TTC, the agenda for which was prepared in February. That highlighted a number of priorities, including securing supply chains, technological cooperation, the coordination of measures to combat distorting practices, and approaches to the decarbonization of trade.

    According to a White House pre-briefing for US reporters, the EU and US are set to announce joint approaches on technical discussions to international standard-setting bodies, an early warning system to better predict and address potential semiconductor supply chain disruptions, and a transatlantic approach to semiconductor investments aimed at ensuring security of supply.

    Continue reading
  • US cops kick back against facial recognition bans
    Plus: DeepMind launches new generalist AI system, and Apple boffin quits over return-to-work policy

    In brief Facial recognition bans passed by US cities are being overturned as law enforcement and lobbyist groups pressure local governments to tackle rising crime rates.

    In July, the state of Virginia will scrap its ban on the controversial technology after less than a year. California and New Orleans may follow suit, Reuters first reported. Vermont adjusted its bill to allow police to use facial recognition software in child sex abuse investigations.

    Elsewhere, efforts are under way in New York, Colorado, and Indiana to prevent bills banning facial recognition from passing. It's not clear if some existing vetoes set to expire, like the one in California, will be renewed. Around two dozen US state or local governments passed laws prohibiting facial recognition from 2019 to 2021. Police, however, believe the tool is useful in identifying suspects and can help solve cases especially in places where crime rates have risen.

    Continue reading
  • RISC-V needs more than an open architecture to compete
    Arm shows us that even total domination doesn't always make stupid levels of money

    Opinion Interviews with chip company CEOs are invariably enlightening. On top of the usual market-related subjects of success and failure, revenues and competition, plans and pitfalls, the highly paid victim knows that there's a large audience of unusually competent critics eager for technical details. That's you.

    Take The Register's latest interview with RISC-V International CEO Calista Redmond. It moved smartly through the gears on Intel's recent Platinum Membership of the open ISA consortium ("they're not too worried about their x86 business"), the interest from autocratic regimes (roughly "there are no rules, if some come up we'll stick by them"), and what RISC-V's 2022 will look like. Laptops. Thousand-core AI chips. Google hyperscalers. Edge. The plan seems to be to do in five years what took Arm 20.

    RISC-V may not be an existential risk to Intel, but Arm had better watch it.

    Continue reading

Biting the hand that feeds IT © 1998–2022