Businesswoman making a call on her mobile concerning a paper document she is holding in her hand, close up view

Watch out for Costly Mobile Ads

There are lots of ways you can have a bad hair day with a mobile device – a rogue app from the Play Store, a dubious file from a non-official source or even a phish attack which takes advantage of a mobile’s smaller screen size.

A less annoying issue is pop-ups, adverts and redirects – you’ll probably encounter these every so often on your mobile, but the worst you’ll get from those is a migraine inducing advert or a “You are our 1,000,000th visitor” banner. Right?

Well….

Picture this. You’re using your phone and browsing a popular  forum or website. You open a thread and one of the adverts on the page immediately redirects you, opening a new browser tab. You may be presented with a set of questions on a hard to close popup advert, or what appears to be a video, or even what appears to be a blank page. You close what appears to be an otherwise harmless tab and go about your business.

In some cases, you may be convinced you’ve not even interacted with the page in terms of clicking on buttons, filling in forms or signing up to something.

Five minutes later…

You've been billed

FreeMsg: you’ve paid £5.00 for 1 entry from [website / service] visited at (time) HELP? [phone number / email address] View again at [website]

Should you receive a message similar to the above, you’ll likely find that the charge has indeed been applied. Here’s the charge for the above message:

Payment has gone out

How is this happening?

That’s a very good question.

There are already lots of common ways you can pay for things online with a mobile. Those are services you’d normally set up an account with, and login to use.

Alongside those, there’s another type of payment method available for mobile users where no payment card or registration is required.

These are payment services provided by groups of mobile operators which let you visit a page (here’s an example of such a setup), see something you want to buy then hit the “Buy now” (or equivalent) button. The payment is applied directly to your mobile network, who then pass the charge onto you.

There’s a number of payment intermediaries who handle the various stages of payment – from handling billing requests to ensuring the phone owner is presented with an on-screen payment page. The final stage would be the merchants – website owners – who sign up to make use of the platform and let visitors pay for their services with a click of a button.

So far, so good. While this could work well for many things – random charity / disaster relief thing you want to donate to? Awesome, hit the button – it seems some websites may well be taking advantage of this payment design in peculiar ways, resulting in unwanted charges for furious phone owners.

The basic method here is:

1) Sites related to these charges place paid advertising on ad networks.

2) The adverts redirect visitors from the original website to their own, typically in the form of a new tab / window.

3) The soon-to-be-billed individual may find themselves bounced through a few ad network URLs before hitting their final destination.

4) That final destination might take the form of a hard to close “quiz” popup, or a supposed video, or – in the example related to the screenshots above – what appeared to be a blank page which was closed before any content could load in. The site would also take note of whether you were visiting the page using a mobile device to browse, as opposed just turning up on your Windows 8 PC.

5) The payment for “services” is applied to the mobile network operator, who passes the charge onto their customer.

The redirects send people to “one time use” URLs – i.e. if you went back and visited one again, nothing would happen – you’d simply see a blank page (as in, an actual blank page and nothing would happen because the link has already done its job with regards the first person to visit it).

This makes it very difficult to know what they’re doing behind the scenes to pull this off (by potentially hiding payment buttons or offering up dubious adverts) – you’d need knowledge in advance as to where one of these adverts would appear, have a test phone in hand, and also be in a position to research / track what is taking place.

As the advert placement is random, it’s pretty much needle in a haystack time. You can find many direct links online to some of these websites, often posted up on social media by angry people with charges applied to their account – if you visit the links, they won’t do anything.

How long has this been happening?

Surprisingly, this has been a constant source of complaints on forums and other sites for a number of years:

[1], [2], [3], [4], [5], [6], [7], [8], [9], [10], [11], [12], [13]

Some of the thread posters will state that they did indeed click on things or download something, but the majority are firm in their belief that they didn’t interact with pages in any way, shape or form. Many of them mention having seen rogue pop-up ads before being billed (sometimes with content on them, sometimes not) and they’re also understandably a touch worried:

“I’m completely disillusioned as I have never ever accessed the content and it seems impossible to get these charges refunded, I’m also very worried that it will happen again. If £30 can disappear out of nowhere, what’s stopping £300 or £3000 from being charged without my knowledge!”

The payment systems I’ve seen seem to be geared towards “low cost” transactions, so while I don’t think £3,000 is realistically going to appear on your bill, there are multiple complaints regarding repeat billing over time – which still isn’t great.

Here’s another individual commenting on a rogue ad related to these contested charges:

“I was tapping my phone trying to get rid of a pop-up that wouldn’t go away”

I don’t know about you, but this makes me glad there are ad blockers on mobile devices. Being able to pay for things online when you have no payment card handy is potentially very useful, but the seeming lack of verification on the device owner’s side – would it really hurt to have to reply to a text confirming you want to make use of a service? – means that you should probably be very wary of random advert redirects. I did read that at least one of these payment systems was supposed to be introducing a form of 2FA, which would mean it’s a lot more difficult to find yourself losing money for reasons you can’t quite explain.

Whether confronted with a blank page or an advert pushing potentially hard to exit content without finding yourself accidentally billed, you should take some steps to avoid this happening to you:

1) Install an ad blocker / security software on your phone.

2) Contact your mobile operator and have them block premium services, which tend to be enabled by default unless you specifically ask for them to be disabled.

3) If you feel you’ve been hit by an unfair charge, you can contact the premium rate services regulator, type in the number from whatever text you’ve received and make a complaint.

Immediacy and an absence of hassle are great things when you’re constantly on the go, but we should always take steps to ensure simplicity doesn’t just cause an even bigger headache. Sometimes a dash of complexity is a good thing – and a lot less costly in the long run.

Christopher Boyd

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.