Manipulated website buys abo for 3rd-party services on my mobile-providerLT

xundeenergie

I did some more checks.

My wife opened
ulrike-trebesius.de/
This site was hacked and redirects to:
expandwhomjackal.com/
The next site in the browser-history is
opticks.dimoco.me
which is marked as "Loading" in the browser history. And then finally the next site auto-opened was:
ua.forward-tv.live

And the abo which was automatically purchased is from "forward TV"

And what i've seen in my pihole (have a lot of blocklists loaded. especially for fraud/malware/spam/scam-sites. And the first one "expandwhomjackal.com" would be blocked by the pihole...
so obviously she was not in the WLAN at this moment.
And the vpn was already not configured at this moment, because i had no time before. The phone is very new. Just a few days here.

Yes... in this case a VPN or the wland would have protect my wife from this attack...

de0u

xundeenergie I am by no means an expert on WAP billing fraud... but can it be done via JavaScript code in a browser? For example, this ZDNet article seems to suggest a malicious app may be required.

de0u

xundeenergie I see some AOSP code in frameworks/base/packages/WAPPushManager related to receiving "WAP push" messages via SMS, but it doesn't appear to be built in GrapheneOS.

This is a recent-ish article from Microsoft describing how a malicious Android app might invoke WAP billing without a click: "Toll fraud malware: How an Android application can drain your wallet".

This article in a similar vein from 2017 ("WAP-billing Trojan-Clickers on rise") suggests that without an app it is necessary for a malicious web site to redirect to a carrier's web site and for the user to press a button on the carrier web site. Of course, new vulnerability pathways are uncovered from time to time.

23Sha-ger

xundeenergie Something downloaded and run by the browser could gather information about the phone-number and do a 3rd-party purchase from the browser.

Nothing like this happened unless you have some sort of autofill
in Vanadium, and then it will ask you to fill a form with data that
is available, such as name, phone, address, ZIP.

This cannot happen without consent.
Rest assured that a real vulnerability in Chromium that allows
to install unwanted software (remote code execution) is sold
for very large amounts, so no one will waste this to hack some
website and make unathorized fraud whatsoever.
Call your carrier and reverse the charge for whatever crap you
clicked on, and block billing and premium numbers/SMS.

xundeenergie

23Sha-ger
There is bitwarden password-manager installed. But it askes on every call from the browser to be unlocked manually.
No other autofill is configured in vanadium. It's standard installation.

Did i understand this correctly? Three possible ways:

a malicious app did the thing
a undocumented or unfixed vulnerability in chromium/vanadium which allows RCE
some attack on the phone explicitly with software, that can use such vulnerabilities

I called my phone-provider. And we get back the money (got the message today)

But... verified boot it enough to retrust the phone? If some remote code execution happened... i do not trust the phone any more...
for WAP billing a consent is mandatory.
My wife did not consent to anything, but the purchase was done.
So something else clicked the consent after opening a hacked website... what clicked it?

de0u

xundeenergie Did i understand this correctly? Three possible ways:

a malicious app did the thing

a undocumented or unfixed vulnerability in chromium/vanadium which allows RCE

some attack on the phone explicitly with software, that can use such vulnerabilities

Without video of an incident and an inventory of all installed apps it's hard to say. It is not clear those are the only options. In theory there might be an unknown vulnerability in some non-malicious installed app.

fernlike

xundeenergie Did i understand this correctly? Three possible ways:

a malicious app did the thing

a undocumented or unfixed vulnerability in chromium/vanadium which allows RCE

some attack on the phone explicitly with software, that can use such vulnerabilities

Or your wife accidentally tapped on the screen while on the malicious website. If all it takes is one click to approve a WAP billing purchase, then it would be super easy to do it without noticing. Especially if the button was disguised or invisible and covering the whole webpage (unless Vanadium protects against such things).

My point is that human error is almost always the most likely cause when there is a security breach.

Semiconductor

Hello xundeenergie,
When I first read your initial post, my though was "technically, this cannot be possible".
But after searching a bit on the internet, it looks to me as if not your wife's phone was compromised (nor is the browser), but she landed on a fraudulent website that uses so called "Clickjacking".
Apparently these companies abuse the option to buy additional services on your mobile phone by getting charged on your monthly mobile phone bill.
As you are from Austria, maybe this link is of interest for you:
https://www.verbraucherzentrale.de/wissen/digitale-welt/mobilfunk-und-festnetz/drittanbietersperre-schutz-vor-ungewollten-abos-12613
Normally, if such a company (in German they are called "Drittanbieter", not sure whether in English you call it "3rd Party provider" or something like that?) want to sell you something by charging your mobile phone bill, they explicitly have to ask you for your consent ("are you sure?").
What apparently happens is, that they camouflage the window "click here for useless subscription for insane amount" with an overlay, that may for instance look exactly like a utube video playback window. As the feedback dialogue ("are you sure"?) may be suppressed, by clicking twice (because the video playback did not start for obvious reason) you already have "signed a contract" without noticing it.
Interestingly, many of the subscriptions offered by those questionable companies, ccording to the Internet basically are useless as they do not offer any value added service that is worth it. So it seems their primary goal is to get other people's money.
I have to thank you for sharing this topic. I logged into my Mobile provider account and checked the section "Drittanbieter" (3rd party payment provider) and now have disabled (almost) all of them. At T-Mobile you can blacklist them all, whitelist some specifically or check for every 3rd party payment provider individually. In case of doubt, disabling this service in general seems a good idea to me. Looking at the long, long list of these companies over there brings me to the impression, that this is still a sort of lucrative backdoor at many mobile provider.
If anyone has further/different information feel free to share. To me it looks as if fraudulent 3rd party payments still are a thing in nowadays.

avaluedcustomer

Semiconductor I have to thank you for sharing this topic. I logged into my Mobile provider account and checked the section "Drittanbieter" (3rd party payment provider) and now have disabled (almost) all of them.

Same here. The post got me to check this.
Interesting enough, my provider (in Germany) has disabled this permanently with no option to enable it at all.

I guess they simply don't want to deal with any problems that stem from this way of paying (e.g. precisely the situation the OP ran into)

MineralWater

dc32f0cfe84def651e0e
That is not how this billing process works. It's tied to the telephone number on the sim, the billing process is handled via the cell network.

The IP is completely unimportant here.

« Previous Page