Back when the mobile phone market exploded in the early ’00s, SMS subscription services sometimes provided good fodder for party conversations. A new joke or piece of trivia delivered regularly right to your phone? It certainly was a fun novelty. That’s of course until we realized that the internet actually gave us a more efficient and comprehensive way of accessing the same content.
Apparently, however, these services still exist. And now they’re being exploited by scammers who have developed ways to automatically sign up users to SMS subscriptions, and then pocket the fees for themselves through malvertising.
For many users, these messages that welcome them to some unfamiliar monthly subscription services simply seem odd and annoying. But they’re often more sinister than that. If you see one or more message on your mobile phone, check your bill at the end of the month. Scammers may very well have added your number to a list without your consent.
If this is the case, you could be billed for the service each month directly through your mobile provider. These scammers count on you to pay your phone bill without checking the breakdown of charges and fees. If you contact your provider and ask them to void the charge and cancel the charge, there’s a good chance they will do so. But many mobile users don’t even bother to check over each line item on their bills.
SMS subscription fraud has been a problem for more than a decade, and like a lot of digital fraud tactics, has evolved over time. In the past, scammers might have entered random phone numbers into a web form and hoped for a few to work. Before unlimited texting became commonplace, they may have even been satisfied with pocketing fees from individual texts to the user.
Today, SMS subscription scams aim for a broader base of users, and are geared toward collecting fraudulent monthly charges without the user’s consent.
GeoEdge has identified and studied one such wave of SMS subscription fraud attacks. It happened recently in Italy, where paid SMS subscriptions are legal as long as the user consents. There, scammers deploy code in banner ads that don’t seem to have anything to do with a paid SMS subscription, or prompt a user to subscribe to a list. But if and when a user clicks on the ad - whether intentionally or not - the scammers’ code is deployed.
The deployed code forges the user’s consent to subscribe to a list in two different flows. The first flow has a deceptive type of content that pops up through display ads and relies on the user’s actual consent through a click. The user is typically not informed of the cost the subscription will incur.
The second flow forges the mobile user’s consent - the user does not click to approve the subscription, and their consent is forged seamlessly.
The signup mechanism for the service is similar with both options: obfuscated malicious code starts an automated billing process, where all required billing information is requested from the mobile supplier and submitted to the billing company. The code makes sure that the information is submitted in a human-like rhythm, in order to avoid detection and bypass anti-fraud control. The result is a form which is created by the code and includes all required information. An automated submission is then launched.
The code then sends the form to the user (informing them they’ve been subscribed and will be charged accordingly). Many users assume this is a harmless mistake, or possibly the first step of a phishing scam, and they’ll dismiss the SMS. In reality, they’ve already been scammed, and they’ll continue to be scammed unless they contact their mobile provider.
Some of these messages come with a disclaimer that they can be stopped simply by texting the word “STOP” back to the recipient. Those disclaimers are not to be trusted—just the same as every other part of these messages. Verifying that your number does indeed belong to an actual human could invite the scammers to sell your number to other lists without your consent.
Ultimately, the best way to combat SMS fraud is to monitor your bill and stay in contact with your provider, rather than share information with scammers.
GeoEdge is monitoring this issue closely – so stay tuned for more recommendations and guidance.