NEWS FROM THE LAB - Friday, July 31, 2009

Received an SMS message from a service number with link in it? Posted by Jarno @ 08:06 GMT

bigstockphoto_Mobile_And_Crumpled_Usd_4320077.jpg bigstockphoto.comIt has been a while since we posted about SMS spam [older article, follow-up]

Now we have heard of new incidents involving a money scam. The scam works by the user receiving an innocent-looking web page link over SMS, along with social engineering text that makes the user curious enough to click the link.

If the user opens the link in the phone's web browser he will get a page informing him he has just registered to a service –– a service which will automatically cost some euros per month. After which our user obviously decides the SMS message is spam and closes his phone web browser without clicking anything.

And normally this would be the end of it, as our user did not enter any personal information the spam company can use to identify him and send him the bill.

However in this particular case things work a bit differently. Even though the user did not enter any information about himself, he will still get a charge in his phone bill as he was subscribed to a premium content service.

How did that happen?

The key to how this scam works is the browser in the phone. By default, web browsers in phones are set to use a WAP gateway to get on the Internet. A WAP gateway is a way to identify the customer online and provides billing information for the service. Thus just visiting a page with the phone web browser over a WAP connection is enough to give a less than honest company enough information to issue a charge that will be automatically added to the user's phone bill.

Whether this practice is legal depends on which country the user happens to live in, and as we are not lawyers we are not going to speculate further on that.

There is a very easy way to be safe from this kind of scam, just don't use the WAP gateway. Normally GSM service providers send Internet configuration messages that also contains access point settings that do not use the WAP gateway. To take the non-WAP access point into use you need to search for an option in the phone web browser settings menu that says 'access point' or something similar and change this away from anything saying 'WAP services'.

The downside of not using a WAP gateway when accessing the web is that you will not be able to access premium content, if you are used to that; the positive side is that random websites will not be able to easily identify you.

Another option is to check whether your phone company allows you to set a block on premium rate billing and specify what kind of services you want to use. For example, most Finnish operators allow a user to specify that they want to use information services and public services such as SMS tram and metro tickets, but still block third party entertainment services.