Team Confiant

 •  3 minute read

Stopping wapSiphone: A Malvertising Threat to Mobile Devices

Threat actors are always developing creative new ways to circumvent obstacles that block their access to user data, resulting in a rapidly evolving threat landscape that targets both mobile and desktop environments. Through our work with Protected Media, Confiant uncovered a new malvertising threat actor that leverages mobile in-app advertisements to charge victims a small monthly fee to their mobile phone bill – simply by loading an ad on the victim’s device.

We believe that these attacks, coming from an attacker we have named “wapSiphone,” deserve increased attention as a malvertising attack vector for several reasons:

  • Compared to forced redirects, these silent attacks require no action from the user, enabling them to go unnoticed.
  • The attack results in new monthly charges to a phone bill that are so small, many victims won’t notice that they are being stolen from.
  • These attacks completely bypass corporations, choosing to target the wallets of consumers directly.

Because the technology leveraged for these attacks is no longer used in most countries, attackers target victims with mobile carriers located in Mexico, Iran, and the United Arab Emirates.

Modern WAP Billing Fraud Technologies

Imagine you are enjoying one of your favorite mobile games and an ad appears between rounds. As most people do, you let the ad run without clicking on it so you can continue playing your game. You would think nothing of this scenario at the time, but when that particular ad appeared, the attacker behind the ad also ran code to collect your Mobile Station International Subscriber Directory Number (MSISDN). Once the hackers have your MSISDN, which includes a country code and a number that identifies your mobile carrier, they can add new third-party charges to your monthly phone bill.

This situation is made possible because multiple carriers located in countries like Mexico, Iran, and the UAE make the MSISDN more readily available when someone requests it over HTTP. These attackers use display ads as a vehicle to send MSISDN lookup requests to the carriers. And once the hackers have the MSISDN, they can take advantage of outdated WAP billing schemes to charge the consumer small monthly fees, often going unnoticed for long periods; if at all.

WAP billing is still popular on certain carriers, but dated compared to most American/European standards. The technology enables one-click purchases that bypass the need for a username, password, or payment card. The consumer receives whatever they purchase immediately after just one click (often a ringtone, downloadable app, game, etc.) and without having to enter payment information. Because WAP billing lacks transparency and security for the consumer, and because of its well-documented history of abuse, usage has steeply declined in most parts of the world since the mid 2000s. However, because some regional carriers still support WAP billing, it remains appealing for malicious actors because it’s a simple and effective way to charge consumers.

Protect Audiences from Mobile Malvertisers

wapSiphone represents a dated fraud technique that adds an interesting spin by targeting mobile in-app ads. As wapSiphone evolves, these attacks could expand to target additional regions, as well as leverage display ads that appear on digital publisher sites throughout the mobile web.

To protect audiences from new and evolving threats like wapSiphone, publishers and app developers should consider integrating with an ad security and ad quality solution. We recently released our real-time ad verification solution to app developers to help them safeguard their audiences, reputation, and revenue streams by automatically identifying and blocking malicious and low-quality ads in real-time.

By working with Confiant, you’ll gain a strategic partner whose forward-thinking research and industry expertise have been recognized by Forbes1, Google2, and the UK government.3 Earlier this year, Confiant was widely praised for uncovering a new threat to the industry called FizzCore that blurs the lines between malvertising and deceptive ads. In fact, Confiant identified that FizzCore and wapSiphone send their ads through some of the same obscure ad platforms like RTBTradeIn and DecenterAds.

To learn more about other active threat actors, download Confiant’s Demand Quality Report.

If you are ready to put Confiant to the test, request a free demo of Confiant’s Ad Security & Quality solution.


Sources

1https://www.forbes.com/sites/johnkoetsier/2020/05/20/hackers-using-20-year-old-tech-to-steal--via-your-phone-bill/#1e3f44596c0d

2https://blog.malwarebytes.com/threat-analysis/2020/01/woof-locker-stealthy-browser-locker-tech-support-scam/

3https://www.gov.uk/government/publications/mapping-online-advertising-issues-and-the-industry-and-regulatory-initiatives-aimed-at-addressing-them