A MyBroadband investigation in September revealed that WASPs continue to subscribe South African mobile users to content services without their permission or knowledge.
As soon as Vodacom and MTN implement measures to prevent fraudulent transactions on their networks, the fraudsters find new ways to bypass these measures.
The simple solution to this problem is for Vodacom and MTN to block all WASP services by default, with the option of enabling them if needed.
However, the mobile operators stand to lose millions in revenue if they implement this solution, and to date this has not happened.
The Wireless Application Service Providers' Association (WASPA), which governs the WASP industry in South Africa, said measures have been put in place to minimise the occurrence of fraudulent activity.
WASPA said all WASPs are required to implement security measures to protect their systems and platforms, and to detect and mitigate against potential and fraudulent activity and attacks.
"We work closely with our members to monitor the market and to continuously adjust and improve to stay up to date with the newest trends in a dynamic and ever-changing environment," WASPA said.
WASPA has provided an overview of the methods that criminals use to attack mobile subscribers, which their members should protect mobile users from.
Clickjacking
With clickjacking, an attacker tricks a user into clicking on a button or link on another page loaded in a <frame> or an <iframe>.
The user intends to click on the visible page, but the browser registers the click on the transparent page above or below the visible page.
Thus, the attacker is "hijacking" clicks and routing them to another page, most likely owned by another application, domain, or both.
Clickjacking occurs when a user browses websites in a mobile browser. Typically, the user's experience would be as follows:
User clicks on an advert while browsing the web on a mobile device.
User is taken to a pre-lander or landing page displaying a "call-to-action".
User clicks on the "call-to-action" expecting to see a video or be directed to some other content.
User is subscribed without seeing the network-hosted confirmation page.
SMS fraud
With SMS fraud, a harmful application charges users to send a premium SMS without their consent, or by disguising its SMS activities by hiding disclosure agreements or SMS messages from the mobile operator notifying the user of charges, or confirming subscriptions.
Some apps, even though they technically disclose SMS sending behaviour, introduce additional tricks that accommodate SMS fraud.
Examples of this include hiding any parts of a disclosure agreement from the user, making them unreadable, and conditionally suppressing SMS messages the mobile operator sends to inform the user of charges or to confirm subscription.
Call fraud
Call fraud is committed by harmful applications that add charges to a user's mobile bill by making costly calls without informing them first.
Toll fraud
With toll fraud, a rogue application tricks users into subscribing or purchasing content via their mobile phone bill.
Toll fraud includes any type of billing except Premium SMS and premium calls. Examples of this include: Direct Carrier Billing; WAP (Wireless Access Point); or Mobile Airtime Transfer.
WAP fraud is one of the most prevalent types of toll fraud. WAP fraud can include tricking users into clicking a button on a silently loaded, transparent WebView.
Upon performing the action, a recurring subscription is initiated, and the confirmation SMS or email is often hijacked to prevent users from noticing the financial transaction.
SMS subscription example
The screenshots below show an example of how users are tricked into subscribing to a WASP service.
The user received this SMS, with the promise of a R3,700 coupon.
The user clicked on the URL, but was directed to a blank page. Soon thereafter, an opt-in SMS was received. The user replied Yes.
After replying Yes, the user was subscribed to a R7-per-day SMS service. Thereafter, the user was redirected to a coupon page.
The user was then redirected to a gift card page.
The user was asked for their ID or driver's licence to continue.
The user was notified that they were subscribed to a R7-per-day service.
