Anatomy of a malware scam

  1. WeWrite-down
  2. No deal Brexit is not a hedge fund conspiracy
  3. Europe’s digital infrastructure issue
  4. Let’s give a helping hand to Andrew Yang
  5. ARK Invest’s Tesla model gathers dust
  6. A delirious defence of Uber
  7. WeLiquid: Adam Neumann pockets $700m
  8. Yesterday, in efficient markets
  9. The warm fuzzy feeling of indirectly owning Tencent
  10. The best of Morgan Stanley's Adam Jonas
  11. Apple/Tesla: M&A and heartbreak
  12. Did Beyonce make $300m from Uber's IPO?
  13. Bitcoin is the 10-year Treasury of our time
  14. High resolution music is a solution looking for a problem
  15. Amazon is furious about this negative review
  16. Missing: $500bn of American savings
  17. Blockchain for Brexit: a wonderfully terrible idea
  18. The Bank of Hodlers [sic] (sigh)
  19. Behind the curtain at China Ding Yi Feng
  20. An answer to Mark Cuban's question
  21. Crumbs! It's CRYPTO: the movie!
  22. National Beverage Corp loses its fizz, and its mind
  23. Amazon won't spin-off Amazon Web Services
  24. Mensch! Dan McCrum is innocent, ok?
  25. Europe's $1 trillion tax gap
  26. Why online propaganda mobs are an investment red flag
  27. Davos has produced an amazing new guide on precisely how not to think about risk
  28. When the public relations industry does PR for itself
  29. Who wants to be crippled by student debt?
  30. The bitcoin price is wrong
  31. The warm fuzzy feeling of Goldman debt
  32. “Cryptoassets” are crashing again. Is it time to start calling them cryptoliabilities instead?
  33. Puff the tragic cryptowagon smokes out the Mumsnet demographic
  34. Don't write off the public sector
  35. Initiative Q: an elementary pyramid scheme with grandiose ideas [Update]
  36. Moral investments aren't outperforming
  37. No one is killing it in crypto (not even Woz)
  38. Too smooth: the red flag at Patisserie Valerie which was missed
  39. No, the housing crisis will not be solved by building more homes
  40. Sorry Civil, 'crypto-economics' and 'constitutions' won't save journalism
  41. 'Short-termism' isn't a thing, say Fed economists
  42. Coinbase wants to be “too big to fail”, lol
  43. Regulation and innovation don't have to be enemies
  44. Retailers get so lonely around the holidays
  45. Folli Follie: $1bn of fake sales, and what to learn from the debacle
  46. The new green evangelism
  47. Tilray, how low can it go?
  48. The ICO behind the tragic Everest stunt is now “airdropping” tokens from rockets
  49. Beware the Hindenburg Omen?
  50. The broken conversation about financial regulation
  51. The improbably profitable, loss-making Blue Prism
  52. The EM rout is not made in America
  53. Wages and growth and honestly we just give up
  54. Britain's first blockchain-enabled co-working space isn't blockchain-enabled
  55. There is a FIRE that never goes out
  56. The WeWork Garden of Eden
  57. IQE: lumpy 'Apple' sauce at the pricey Cardiff chip shop
  58. There's only so much a central bank can do alone
  59. Eight questions every first-time buyer should ask
  60. MiFID II: not all doom and gloom
  61. Tesla: getting to Q3 profitability
  62. Turkey contagion fears are overblown [Update]
  63. The chance of an inflation shock may be higher than you think
  64. Sorry Tim, the humanity is not being drained out of music
  65. Digital crop circles
  66. What could go wrong here?
  67. Sirius Minerals: money for a hole in the ground
  68. The Bank of England has a strange idea of what QE achieved
  69. One for the ladies...
  70. 'Of course, many ridiculous papers appeared'
  71. Is a change goin' to come?
  72. The capacity's not there yet (and probably never will be)
  73. Musk and Tesla are not inseparable
  74. Libraries, from Carnegie to Bezos
  75. Crypto & government: from anarchy to amity in the USA
  76. 'I'm sorry Dave, I'm afraid I cannot sanction this Series B round'
  77. RBC, through the FANG barrier
  78. Self-help to buy
  79. CFA: Chartered crypto analysts -- updated
  80. The Netflix dilemma -- updated
  81. Fujitsu's new blockchain offering: really cheap or really expensive?
  82. Nothing But the Shirt on Your Back
  83. Universities of Britain: cosying up to crypto is a bad look
  84. How to make a living in the cult of meritocracy
  85. Spotify: Drake-oil salesmen
  86. Oh, the digital humanity
  87. Sports are not markets, predictions ain't investment
  88. Spot the difference, Steinhoff edition
  89. Larry Robbins, a cautionary tale
  90. The node to serfdom
  91. Carney is down with the crypto kids
  92. Samsonite: inventory, excess baggage, and unresolved questions
  93. It might be a long wait for “the equivalent alternative to ICOs”
  94. Don't blame it on the sunshine
  95. In corporate America, brands develop you
  96. One in ten dollars of US housing were anonymous
  97. Should AT&T worry more about its debt?
  98. Who cares if Elon is incinerating capital?
  99. Let’s not try make 'crypto chicks' a thing
  100. Tokens all the way down
  101. Eight-dimensional chess with Elon Musk
  102. A lopsided trade is a good trade, Italian inflation edition
  103. How to buy Italian fire insurance
  104. Atlas bugged
  105. Inflating inflation
  106. Crypto's most devout believers are suffering a crisis of faith
  107. Plus500: past performance is no guide to the future
  108. Noble rot in a shrinking Harbour
  109. In defence of ticket touts
  110. Please don't tell individual investors to buy leveraged loans
  111. RIB Software: the unicorn rainy-day fund
  112. Retail is not dead
  113. Did Soros really give Tesla a “vote of confidence”?
  114. At a crypto conference in New York, it feels like 2017 all over again
  115. Egregious expectations - Intelsat edition
  116. Bitcoin cash is expanding into the void
  117. Stop getting The Flintstones wrong
  118. Bond investors do not care if Argentina is solvent in 100 years
  119. Ubiquiti Networks: of cash and borrowed time
  120. “We're very disappointed in you, Spotify”
  121. 'Sex redistribution' and the means of reproduction
  122. Tesla probably needs to raise capital this year
  123. No entitlement crisis in America
  124. Free cash flow to whom?
  125. Hey crypto bros! Journalism ≠ advertising
  126. Human capital and the jobs guarantee
  127. This is a tech bubble, when's the crash?
  128. The magic of adjustments: ebitla-dee-da
  129. FUD, inglorious FUD
  130. A complex analysis reaches same conclusion as simple one: hedge funds suck
  131. The jobs guarantee and human-capital “nationalisation”
  132. These hedge fund numbers can't be right
  133. The Vomiting Camel has escaped from Bitcoin zoo
  134. Lies, damn lies, and charticles
  135. The world doesn't need more Elon Musks
  136. No, Facebook should not become a nonprofit
  137. Sell all crypto and abandon all blockchain
  138. Immutable ledgers meet European data protection
  139. Amazon is not a bubble
  140. Japan's economic miracle
  141. Have you ever meta crypto joke you didn't like?
  142. Delaware should change its rules to let the light in
  143. Who needs the labels anyway?
  144. Baby Boomers want your family to finance a larger share of their retirement
  145. No, America would not benefit from authoritarian central planning
  146. No one needs to buy Tesla
  147. How to win a debate in the cult of meritocracy
  148. Steinhoff International and the case of Pepkor Global Sourcing
  149. Sorry Jack, Bitcoin will not become the global currency
  150. The “academic’s cryptocurrency” is an elegant waste of time
  151. Cigarettes are the vice America needs
  152. Well that’s one reason to buy yen…
  153. Musicians, don't just blame the labels for your lack of dough
  154. Giving stock away to staff doesn't absolve share buybacks
  155. A penny for Macpherson’s thoughts on the nominal anchor
  156. Monopoly and its discontents
  157. A State of Mind
  158. America is not the least protectionist country in the world
  159. This is nuts, when does Netflix crash?
  160. No Bloomberg, the world's richest people did not lose $114bn...
  161. Someone is wrong on the internet, government employee pensions and passive investing edition
  162. Someone is wrong on the internet, possibly fragile
  163. Someone is wrong on the internet, consumer financial regulation edition
  164. Someone is wrong on the internet: tontine tokens [Update]
  165. Someone is wrong on the internet, road economics edition
  166. Someone is wrong on the internet, wages and the stock market edition

Last summer, Alphaville fell victim to a scam.

We know this is what they all say, but honestly - it wasn’t our fault. The scam was the result of undetectable malware which signed us up for a “games service” via our Vodafone phone contract, and extracted cash from our bank account over several months in the process.

This was a small and briefly infuriating episode which we had largely forgotten about until the PSA Authority, a telecoms regulator who we speculatively complained to last year, recently emailed us with the news that the company providing the service had been fined.

The scam cost us about £27 in total, which we eventually recouped through refunds. But it also hit tens of thousands of other people. And the overall experience provides a glimpse, in an age of internet transactions, of the rising capacity of malicious software to get hold of our money.

So here’s what happened. (Technically, this only happened to one member of the Alphaville team, but there’s safety in numbers).

***

On June 8, 2018, we received a mysterious text message, which read as follows:

We had never heard of, never mind subscribed to, applicateka, or NRS. And at the time, replying STOP seemed like a worse strategy than ignoring the text, so we ignored it. The assumption, at the time, was that the risk of losing money was low unless we actually did something. That assumption turned out to be wrong.

A month later, the next text arrived: a “reminder” that we were subscribed. At this point, we thought it at least worth checking our Vodafone statement. And, lo and behold, we had been charged £4.50 in the month of June. In the July statement, the monthly bill was £60.27, compared to the normal rate of £42.27. We had been charged £4.50 a week; the additional £18 appeared in the “other” section:

So in June, we lost £4.50, in July, £18, and in August, another £4.50. We received a text on Monday 23 July from the NRS-Group, confirming that the service had been deactivated (even though we cancelled in July, the billing month ran from mid-July to mid-August), after our request.

Somewhere around this time, we endured a series of calls with Vodafone customer service, where we tried to explain that we had not signed up for this service, and asked for a refund. It emerged that Vodafone, by default, allows third-party charges on its contracts – often for charity donations, or entering radio competitions.

Vodafone customer service disagreed about the refund, and pointed us to NRS Group, who we duly contacted. In September, NRS Group sent the following email:

The company in question, seemingly based in Spain, appeared to provide “games services”, although we had absolutely no idea what these would be, given we had never played any games on this particular phone. Even though the amount of money was not enough to ruin us, it was at least equal to a round a pints in London (an entirely separate scam). So out of principle, we complained to the regulator, which we had up, until that point, never heard of.

The Phone-paid Services Authority (PSA) regulates content, goods and services charged to phone bills in the UK. As above, phone contracts take money from your bank account every month. They have the power to essentially use your bank account to purchase other services – such as games, or charitable donations. In theory, this should be done with your consent.

In November, we received a refund of £27 in our Vodafone bill, meaning we only paid £22.42 that month.

A year after the whole debacle, we received an email from the PSA, which said: “In response to your complaint about this service, the Executive commenced an investigation”. The subsequent decision of a panel was that the service was in breach of the “Code of Practice”. Net Real Solutions received a formal reprimand and a fine of £200,000, alongside various other requirements it had to meet.

***

What had actually happened? NRS had received over 700 complaints since early 2017. The PSA generously published a 50 page document on the case. You can read it in its entirety here. There are several moving parts, but the important point – at least based on our own experience – is the malware.

The report refers to the “Level 1” provider and the “Level 2” provider. At the top of the report, the following disclaimer appears: “The identities of some third parties referenced in this adjudication have been anonymised”. We understand, based on subsequent question, that the Level 1 provider is a company called mGage. This company connects the “merchant” (NRS Group) to the mobile network operator (in our case, Vodafone – though in this case customers of other mobile network operators were also affected).

The “level 2” provider, Net Real Solutions, or NRS, gave the following description of its service to the regulator. A user clicks on a banner advertising “hundreds of games”, and then goes through to the following page:

We did not recall clicking on this page. In fact, we’re pretty much certain we didn’t. And it turns out that, thankfully, we hadn’t gone insane. It was the malware. According to the PSA report, mGage provided the following explanation of how it worked:

The malware affected the customer’s website whereby it allowed the merchant to raise a request for a new service, at this point before the page was loaded, the malware intercepted the url to Consent page and change it effectively to create a successful subscription.

By doing this the malware enabled the request to skip the first two pages of the payment flow (call-to-action and confirm-action) and call the create action (this is where the subscription is created) directly.

In other words, the malware was able to subscribe people without their consent.

It turns out that 33,450 people were subscribed to the service between May and July 2018 (also when we were). At £4.50 a week, that’s a cool £150,000 a week, or £8m a year. mGage suspended the service at the end of July 2018.

In its published statements for the investigation, NRS blamed the problem on “affiliate marketing” with a company referred to in the document as “Affiliate 3”. mGage also blamed this affiliate, but this company is anonymous in the report. That affiliate had signed a contract with NRS in December 2015 which prohibited certain behaviour, including prohibitions around malware.

The report also mentions the word “refund” a few times. We were initially refused a refund, you’ll recall, after NRS falsely claimed that we had in fact signed up for the service. In October, we received two texts saying we’d been refunded £4.50 each on November 2, 2018. In our November bill, we got the whole £27 back.

This meant we were no longer down, but we’d gone through quite a few hours of unbearable phone calls, emailing, complaining and generally wandering around in a state of agitated fury.

NRS Group did not respond to a request for comment for this article. mGage did not respond to a request for comment either. Vodafone, however, did provide a long statement. It said: “Vodafone does not directly contract with ‘merchants’ such as the NRS Group but instead we work with contracted third parties, called Trusted Payment Intermediaries (TPI)”.

The spokesperson went on:

Whilst many of these providers offer valuable services from one-off donations to large charities to single purchases in mainstream App stores, unfortunately fraud does occur. We take the security and protection of our customers extremely seriously, and operate a comprehensive monitoring program to ensure that all third-party companies in the value chain keep strictly within the industry regulation. To this end, Vodafone instructed the TPI to suspend NRS in mid-July 2018 after a malware incident was detected by our program.

We’re no longer down on this, and given we’re now reporting on it, with ourselves as one of the primary sources, we’re happy to forgo any compensation for the time.

This article has been updated to clarify the refunds.

Related Links:
Anatomy of a cryptocurrency scam -- FT Alphaville

  1. WeWrite-down
  2. No deal Brexit is not a hedge fund conspiracy
  3. Europe’s digital infrastructure issue
  4. Let’s give a helping hand to Andrew Yang
  5. ARK Invest’s Tesla model gathers dust
  6. A delirious defence of Uber
  7. WeLiquid: Adam Neumann pockets $700m
  8. Yesterday, in efficient markets
  9. The warm fuzzy feeling of indirectly owning Tencent
  10. The best of Morgan Stanley's Adam Jonas
  11. Apple/Tesla: M&A and heartbreak
  12. Did Beyonce make $300m from Uber's IPO?
  13. Bitcoin is the 10-year Treasury of our time
  14. High resolution music is a solution looking for a problem
  15. Amazon is furious about this negative review
  16. Missing: $500bn of American savings
  17. Blockchain for Brexit: a wonderfully terrible idea
  18. The Bank of Hodlers [sic] (sigh)
  19. Behind the curtain at China Ding Yi Feng
  20. An answer to Mark Cuban's question
  21. Crumbs! It's CRYPTO: the movie!
  22. National Beverage Corp loses its fizz, and its mind
  23. Amazon won't spin-off Amazon Web Services
  24. Mensch! Dan McCrum is innocent, ok?
  25. Europe's $1 trillion tax gap
  26. Why online propaganda mobs are an investment red flag
  27. Davos has produced an amazing new guide on precisely how not to think about risk
  28. When the public relations industry does PR for itself
  29. Who wants to be crippled by student debt?
  30. The bitcoin price is wrong
  31. The warm fuzzy feeling of Goldman debt
  32. “Cryptoassets” are crashing again. Is it time to start calling them cryptoliabilities instead?
  33. Puff the tragic cryptowagon smokes out the Mumsnet demographic
  34. Don't write off the public sector
  35. Initiative Q: an elementary pyramid scheme with grandiose ideas [Update]
  36. Moral investments aren't outperforming
  37. No one is killing it in crypto (not even Woz)
  38. Too smooth: the red flag at Patisserie Valerie which was missed
  39. No, the housing crisis will not be solved by building more homes
  40. Sorry Civil, 'crypto-economics' and 'constitutions' won't save journalism
  41. 'Short-termism' isn't a thing, say Fed economists
  42. Coinbase wants to be “too big to fail”, lol
  43. Regulation and innovation don't have to be enemies
  44. Retailers get so lonely around the holidays
  45. Folli Follie: $1bn of fake sales, and what to learn from the debacle
  46. The new green evangelism
  47. Tilray, how low can it go?
  48. The ICO behind the tragic Everest stunt is now “airdropping” tokens from rockets
  49. Beware the Hindenburg Omen?
  50. The broken conversation about financial regulation
  51. The improbably profitable, loss-making Blue Prism
  52. The EM rout is not made in America
  53. Wages and growth and honestly we just give up
  54. Britain's first blockchain-enabled co-working space isn't blockchain-enabled
  55. There is a FIRE that never goes out
  56. The WeWork Garden of Eden
  57. IQE: lumpy 'Apple' sauce at the pricey Cardiff chip shop
  58. There's only so much a central bank can do alone
  59. Eight questions every first-time buyer should ask
  60. MiFID II: not all doom and gloom
  61. Tesla: getting to Q3 profitability
  62. Turkey contagion fears are overblown [Update]
  63. The chance of an inflation shock may be higher than you think
  64. Sorry Tim, the humanity is not being drained out of music
  65. Digital crop circles
  66. What could go wrong here?
  67. Sirius Minerals: money for a hole in the ground
  68. The Bank of England has a strange idea of what QE achieved
  69. One for the ladies...
  70. 'Of course, many ridiculous papers appeared'
  71. Is a change goin' to come?
  72. The capacity's not there yet (and probably never will be)
  73. Musk and Tesla are not inseparable
  74. Libraries, from Carnegie to Bezos
  75. Crypto & government: from anarchy to amity in the USA
  76. 'I'm sorry Dave, I'm afraid I cannot sanction this Series B round'
  77. RBC, through the FANG barrier
  78. Self-help to buy
  79. CFA: Chartered crypto analysts -- updated
  80. The Netflix dilemma -- updated
  81. Fujitsu's new blockchain offering: really cheap or really expensive?
  82. Nothing But the Shirt on Your Back
  83. Universities of Britain: cosying up to crypto is a bad look
  84. How to make a living in the cult of meritocracy
  85. Spotify: Drake-oil salesmen
  86. Oh, the digital humanity
  87. Sports are not markets, predictions ain't investment
  88. Spot the difference, Steinhoff edition
  89. Larry Robbins, a cautionary tale
  90. The node to serfdom
  91. Carney is down with the crypto kids
  92. Samsonite: inventory, excess baggage, and unresolved questions
  93. It might be a long wait for “the equivalent alternative to ICOs”
  94. Don't blame it on the sunshine
  95. In corporate America, brands develop you
  96. One in ten dollars of US housing were anonymous
  97. Should AT&T worry more about its debt?
  98. Who cares if Elon is incinerating capital?
  99. Let’s not try make 'crypto chicks' a thing
  100. Tokens all the way down
  101. Eight-dimensional chess with Elon Musk
  102. A lopsided trade is a good trade, Italian inflation edition
  103. How to buy Italian fire insurance
  104. Atlas bugged
  105. Inflating inflation
  106. Crypto's most devout believers are suffering a crisis of faith
  107. Plus500: past performance is no guide to the future
  108. Noble rot in a shrinking Harbour
  109. In defence of ticket touts
  110. Please don't tell individual investors to buy leveraged loans
  111. RIB Software: the unicorn rainy-day fund
  112. Retail is not dead
  113. Did Soros really give Tesla a “vote of confidence”?
  114. At a crypto conference in New York, it feels like 2017 all over again
  115. Egregious expectations - Intelsat edition
  116. Bitcoin cash is expanding into the void
  117. Stop getting The Flintstones wrong
  118. Bond investors do not care if Argentina is solvent in 100 years
  119. Ubiquiti Networks: of cash and borrowed time
  120. “We're very disappointed in you, Spotify”
  121. 'Sex redistribution' and the means of reproduction
  122. Tesla probably needs to raise capital this year
  123. No entitlement crisis in America
  124. Free cash flow to whom?
  125. Hey crypto bros! Journalism ≠ advertising
  126. Human capital and the jobs guarantee
  127. This is a tech bubble, when's the crash?
  128. The magic of adjustments: ebitla-dee-da
  129. FUD, inglorious FUD
  130. A complex analysis reaches same conclusion as simple one: hedge funds suck
  131. The jobs guarantee and human-capital “nationalisation”
  132. These hedge fund numbers can't be right
  133. The Vomiting Camel has escaped from Bitcoin zoo
  134. Lies, damn lies, and charticles
  135. The world doesn't need more Elon Musks
  136. No, Facebook should not become a nonprofit
  137. Sell all crypto and abandon all blockchain
  138. Immutable ledgers meet European data protection
  139. Amazon is not a bubble
  140. Japan's economic miracle
  141. Have you ever meta crypto joke you didn't like?
  142. Delaware should change its rules to let the light in
  143. Who needs the labels anyway?
  144. Baby Boomers want your family to finance a larger share of their retirement
  145. No, America would not benefit from authoritarian central planning
  146. No one needs to buy Tesla
  147. How to win a debate in the cult of meritocracy
  148. Steinhoff International and the case of Pepkor Global Sourcing
  149. Sorry Jack, Bitcoin will not become the global currency
  150. The “academic’s cryptocurrency” is an elegant waste of time
  151. Cigarettes are the vice America needs
  152. Well that’s one reason to buy yen…
  153. Musicians, don't just blame the labels for your lack of dough
  154. Giving stock away to staff doesn't absolve share buybacks
  155. A penny for Macpherson’s thoughts on the nominal anchor
  156. Monopoly and its discontents
  157. A State of Mind
  158. America is not the least protectionist country in the world
  159. This is nuts, when does Netflix crash?
  160. No Bloomberg, the world's richest people did not lose $114bn...
  161. Someone is wrong on the internet, government employee pensions and passive investing edition
  162. Someone is wrong on the internet, possibly fragile
  163. Someone is wrong on the internet, consumer financial regulation edition
  164. Someone is wrong on the internet: tontine tokens [Update]
  165. Someone is wrong on the internet, road economics edition
  166. Someone is wrong on the internet, wages and the stock market edition
Copyright The Financial Times Limited 2019. All rights reserved. You may share using our article tools. Please don't cut articles from FT.com and redistribute by email or post to the web.

Read next:

Read next:

Snap AV: Hong Kong worries

FT Alpha Tweets