When the mobile phone market exploded, SMS subscriptions provided good fodder for party conversations. A new joke or piece of trivia delivered regularly right to your phone? It seemed like a harmless, fun novelty. That’s of course until we realized that the internet offered a more efficient and comprehensive way to access the same content.
Yet even in the internet age, these premium SMS subscriptions still exist. But now they’re being exploited by threat actors who have developed ways to automatically sign up users to an SMS subscription service and then pocket the premium SMS charges.
Many users ignore messages that welcome them to some unfamiliar monthly subscription services, seeing them simply as odd or annoying. But they’re often more sinister than that.
It’s important to keep your eyes open for warning signs. If you see a suspicious text message, or multiple unsolicited text messages with suspicious links on your mobile phone, check your phone bills and your bank account at the end of the month. Scammers may have added your phone number to a list without your consent.
If this is the case, your mobile carrier could bill you for the premium SMS option every month directly through your mobile provider. These scammers count on you to pay your phone bill without checking the breakdown of charges and fees.
If you contact your mobile carrier and ask them to void and cancel the charge, there’s a good chance they will do so. But many mobile users don’t even bother to check each line item on their bills.
What is SMS subscription fraud?
SMS subscription fraud has been a problem for more than a decade, and like a lot of digital fraud tactics, it has evolved over time. In the past, scammers might have entered random phone numbers into a web form and hoped to gain access for a handful. Before unlimited texting became commonplace, they may have even been satisfied with pocketing fees from individual texts to a mobile device.
Today, SMS subscription scams target the personal accounts of a broader base of users and are geared toward collecting fraudulent monthly charges without the user’s consent. GeoEdge has identified and studied one such wave of SMS subscription fraud attacks in Italy, where paid SMS subscriptions options are legal as long as the user consents.
In Italy, scammers deploy code through advertising channels like banner ads or numerous catchy video advertisements that don’t seem to have anything to do with a paid SMS subscription, or prompt a user to subscribe to a list. But if and when a user clicks on the ad – whether intentionally or not – the scammers’ code is deployed.
What are the types of SMS fraud?
Smishing scams
“Smishing” is a combination of two words: phishing and SMS. In traditional phishing, criminals use emails (sometimes using an email that looks like that of someone the victim knows, and sometimes using generic email addresses) to try to trick victims to click on a malicious link. Smishing does the same thing using a text message instead of an email.
Like phishing, smishing attempts usually try to steal personal information from victims. In some cases, when the user opens the link sent in the text message, malware is installed on the phone. The malware is then used to extract sensitive info from your user accounts.
In other cases, the link in the text message leads to a site that looks legit, and may even include things like generic privacy policy statements in the fine print assuring users that the site provides identity theft protection. However, this is just a guise. On the site the user is encouraged to share sensitive information, anything from a simple phone number to the international mobile equipment identity number of your phone. In some cases, the site claims they will receive a free gift when they share their information, and in other cases, the entire campaign is disguised to look like it comes from a trusted company like Google or Microsoft.
Smishing scam text messages often claim to be from your bank and use sophisticated tactics to get you to share personal information. They may look like fraud alerts from the bank, and ask you to verify personal or financial information such as your account or ATM number. Providing the information is equivalent to handing thieves the keys to your bank balance.
Malicious Android apps and fake apps
Threat actors often use a malicious app to scam victims, primarily Android users into signing up for a bogus premium SMS subscription service that leads to big charges on their phone bill. The app’s advertised purpose usually has nothing to do with the SMS subscription, and therefore the scam apps often make it into official app stores like Google Play Store. The malicious apps’ advertised features include things like custom keyboards, QR code scanners, photo editors and camera filters, spam call blockers, spam protection, games, and more.
The same fake app often has thousands of downloads in the Google Play Store, making it look legit to victims. That’s why it’s always important to do research on new apps. If they have numerous negative reviews in the Play Store, or make it difficult to access basic developer profiles, it’s probably better to stay away, even if they appear as the first apps in a category. You definitely don’t want to provide personal or like your phone number without reading the fine print.
Fraud flows
The deployed code forges the user’s consent to subscribe to a list in two different flows.
- The first flow has a deceptive type of content that pops up through display ads and relies on the user’s actual consent through a click. This flow deceives users who are not typically informed of the cost the subscription will incur.
- The second flow forges the mobile user’s consent – the user does not click to approve the premium services subscription, and their consent is forged seamlessly.
The signup mechanism for the service is similar in both options: obfuscated malicious code starts an automated billing process, where all required billing information is requested from the mobile supplier and submitted to the billing company. The code makes sure that the information is submitted in a human-like rhythm, in order to avoid detection and bypass anti-fraud control.
The result is a form that is created by the code and includes all required information, and an automated submission is then launched. The code then sends the form to the user informing them they’ve been subscribed and will be charged accordingly.
Many users assume this is a harmless mistake, or possibly the first step of a phishing scam, and they dismiss the SMS. In reality, they’ve already been scammed, and they’ll continue to be scammed unless they initiate contact with their mobile provider.
Some of these messages come with a disclaimer that they can be stopped simply by texting the word “STOP” back to the recipient. Those disclaimers are not to be trusted—they are simply part of the scam text designed to deceive users.
SMS fraud detection
Detecting premium SMS fraud can be a challenge. If you detect a premium SMS scam campaign, you can report it to official channels or to a government agency like the Federal Communications Commission or Federal Trade Commission. They may need information like the country area code or a phone number that you can extract from the caller ID. However, while that may help block the specific scam, it won’t protect you from further sms subscriptions options from different phone numbers.
One of the best ways to detect SMS fraud is by identifying the ad campaigns that lead to them. For example, if an ad campaign leads to landing pages that are on a blocklist, or contain suspicious text or images, it’s important to block them before users are exposed to them. But blocking isn’t enough. Publishers need a tool like GeoEdge to detect the ads for SMS fraud in real time, and replace them with legit ads so they don’t lose revenue on their ad inventory.
Messaging fraud solution
Other than blocking the campaigns before users are exposed to them, the best way for an individual user to combat SMS fraud is to monitor your bill and stay in contact with your provider. In addition, don’t give out personal information on links via SMS, no matter how convincing the message is.
GeoEdge is also monitoring this issue closely – so stay tuned for more recommendations and guidance.
