Home / Malware / Anatomy of a malware scam – Financial Times

Anatomy of a malware scam – Financial Times

Last summer, Alphaville fell victim to a scam.

We know this is what they all say, but honestly – it wasn’t our fault. The scam was the result of undetectable malware which signed us up for a “games service” via our Vodafone phone contract, and extracted cash from our bank account over several months in the process.

This was a small and briefly infuriating episode which we had largely forgotten about until the PSA Authority, a telecoms regulator who we speculatively complained to last year, recently emailed us with the news that the company providing the service had been fined.

The scam cost us about £27 in total, which we eventually recouped through refunds. But it also hit tens of thousands of other people. And the overall experience provides a glimpse, in an age of internet transactions, of the rising capacity of malicious software to get hold of our money.

So here’s what happened. (Technically, this only happened to one member of the Alphaville team, but there’s safety in numbers).


On June 8, 2018, we received a mysterious text message, which read as follows:

We had never heard of, never mind subscribed to, applicateka, or NRS. And at the time, replying STOP seemed like a worse strategy than ignoring the text, so we ignored it. The assumption, at the time, was that the risk of losing money was low unless we actually did something. That assumption turned out to be wrong.

A month later, the next text arrived: a “reminder” that we were subscribed. At this point, we thought it at least worth checking our Vodafone statement. And, lo and behold, we had been charged £4.50 in the month of June. In the July statement, the monthly bill was £60.27, compared to the normal rate of £42.27. We had been charged £4.50 a week; the additional £18 appeared in the “other” section:

So in June, we lost £4.50, in July, £18, and in August, another £4.50. We received a text on Monday 23 July from the NRS-Group, confirming that the service had been deactivated (even though we cancelled in July, the billing month ran from mid-July to mid-August), after our request.

Somewhere around this time, we endured a series of calls with Vodafone customer service, where we tried to explain that we had not signed up for this service, and asked for a refund. It emerged that Vodafone, by default, allows third-party charges on its contracts – often for charity donations, or entering radio competitions.

Vodafone customer service disagreed about the refund, and pointed us to NRS Group, who we duly contacted. In September, NRS Group sent the following email:

The company in question, seemingly based in Spain, appeared to provide “games services”, although we had absolutely no idea what these would be, given we had never played any games on this particular phone. Even though the amount of money was not enough to ruin us, it was at least equal to a round a pints in London (an entirely separate scam). So out of principle, we complained to the regulator, which we had up, until that point, never heard of.

The Phone-paid Services Authority (PSA) regulates content, goods and services charged to phone bills in the UK. As above, phone contracts take money from your bank account every month. They have the power to essentially use your bank account to purchase other services – such as games, or charitable donations. In theory, this should be done with your consent.

In November, we received a refund of £27 in our Vodafone bill, meaning we only paid £22.42 that month.

A year after the whole debacle, we received an email from the PSA, which said: “In response to your complaint about this service, the Executive commenced an investigation”. The subsequent decision of a panel was that the service was in breach of the “Code of Practice”. Net Real Solutions received a formal reprimand and a fine of £200,000, alongside various other requirements it had to meet.


What had actually happened? NRS had received over 700 complaints since early 2017. The PSA generously published a 50 page document on the case. You can read it in its entirety here. There are several moving parts, but the important point – at least based on our own experience – is the malware.

The report refers to the “Level 1” provider and the “Level 2” provider. At the top of the report, the following disclaimer appears: “The identities of some third parties referenced in this adjudication have been anonymised”. We understand, based on subsequent question, that the Level 1 provider is a company called mGage. This company connects the “merchant” (NRS Group) to the mobile network operator (in our case, Vodafone – though in this case customers of other mobile network operators were also affected).

The “level 2” provider, Net Real Solutions, or NRS, gave the following description of its service to the regulator. A user clicks on a banner advertising “hundreds of games”, and then goes through to the following page:

We did not recall clicking on this page. In fact, we’re pretty much certain we didn’t. And it turns out that, thankfully, we hadn’t gone insane. It was the malware. According to the PSA report, mGage provided the following explanation of how it worked:

The malware affected the customer’s website whereby it allowed the merchant to raise a request for a new service, at this point before the page was loaded, the malware intercepted the url to Consent page and change it effectively to create a successful subscription.

By doing this the malware enabled the request to skip the first two pages of the payment flow (call-to-action and confirm-action) and call the create action (this is where the subscription is created) directly.

In other words, the malware was able to subscribe people without their consent.

It turns out that 33,450 people were subscribed to the service between May and July 2018 (also when we were). At £4.50 a week, that’s a cool £150,000 a week, or £8m a year. mGage suspended the service at the end of July 2018.

In its published statements for the investigation, NRS blamed the problem on “affiliate marketing” with a company referred to in the document as “Affiliate 3”. mGage also blamed this affiliate, but this company is anonymous in the report. That affiliate had signed a contract with NRS in December 2015 which prohibited certain behaviour, including prohibitions around malware.

The report also mentions the word “refund” a few times. We were initially refused a refund, you’ll recall, after NRS falsely claimed that we had in fact signed up for the service. In October, we received two texts saying we’d been refunded £4.50 each on November 2, 2018. In our November bill, we got the whole £27 back.

This meant we were no longer down, but we’d gone through quite a few hours of unbearable phone calls, emailing, complaining and generally wandering around in a state of agitated fury.

NRS Group did not respond to a request for comment for this article. mGage did not respond to a request for comment either. Vodafone, however, did provide a long statement. It said: “Vodafone does not directly contract with ‘merchants’ such as the NRS Group but instead we work with contracted third parties, called Trusted Payment Intermediaries (TPI)”.

The spokesperson went on:

Whilst many of these providers offer valuable services from one-off donations to large charities to single purchases in mainstream App stores, unfortunately fraud does occur. We take the security and protection of our customers extremely seriously, and operate a comprehensive monitoring program to ensure that all third-party companies in the value chain keep strictly within the industry regulation. To this end, Vodafone instructed the TPI to suspend NRS in mid-July 2018 after a malware incident was detected by our program.

We’re no longer down on this, and given we’re now reporting on it, with ourselves as one of the primary sources, we’re happy to forgo any compensation for the time.

This article has been updated to clarify the refunds.

Related Links:
Anatomy of a cryptocurrency scam — FT Alphaville

Copyright The Financial Times Limited 2019. All rights reserved. You may share using our article tools. Please don’t cut articles from FT.com and redistribute by email or post to the web.

Source link


Check Also

Warning Issued After Bitcoin And Litecoin Wallets Targeted By Malware – Forbes

Share to facebook Share to twitter Share to linkedin Bitcoin and the wider cryptocurrency market’s …