BEWARE: Operator run charge-to-bill SCAM affecting 3G/4G browsing on Friday nights

[Captain Jack Sparrow]

I've already posted this on a BlackBerry specific forum. I can't link it as per forum rules, but if this saves even one person from getting scammed, then it was worth re-posting here.

Firstly, to be clear, this can affect any mobile data 3G/4G web browsing on any type of device. In this case, it happened to me on a BlackBerry Z10. It also has previously happened to me on an iPhone 4S. As far as I know, this does NOT affect browsing over Wi-Fi unless you're using a "Personal hostpot".

This is going to be a long post, so please read this carefully.

The scam works as follows:
A webpage which has ads inserted via an ad network could forcibly redirect to a webpage which immediately charges directly to your phone bill or debits your credit. Granted, most web ads and popups are harmless, but this kind of thing shouldn't be allowed to happen.

This scam is operated by the "big 4" UK networks: EE, Vodafone, O2 and Three. It is facilitated by a backend service called "PayForIt" (external link) which can charge directly to a user's phone bill or credit without any type of authorization.

When using PayForIt, a clear webpage should be shown informing the user that proceeding will result in a charge to the their phone bill. This should also clearly show the amount which will be charged. Scammers take advantage of this system by disguising the proceed button as another element such as an invisible button covering the whole page, so that clicking or tapping anywhere will result in a charge being made. All they have to do now is simply hide the PayForIt confirmation elements behind other webpage elements, so that they aren't visible.

However, as of recent, it seems that the crooks are now including Javascript code which will automatically simulate the victim clicking or tapping on the proceed button without any user intervention, causing victims to get charged, simply for landing on a maliciously crafted webpage. This usually happens on a Friday night, and I'll explain why later.

I have been duped by this scam. It has happened before, but that was only a one-off charge so I let it slide. I called my operator, and requested that a £0.00 spending limit to be placed on my account in the hopes of preventing this from happening again. They confirmed that this has been successfully applied, and will be effective immediately. But this didn't seem to mean anything, because it happened again anyway, completely bypassing the £0.00 spending limit on my account. Only this time, I have been forcibly subscribed to a £4.50 per week service without my consent.



Now I know that posting phone numbers is normally against the rules, but this is a company contact number, and I hope you'll grant me a one time exception so that I can name and shame the poor excuse of a company "TapVids" as well as my operator, Three.

The second screenshot shows that a £4.50 charge has indeed been made to my phone bill. And of course, when attempting to send STOP to 64055, I get "Unidentified subscriber". Did you really think it would be that easy?!



My first step is to halt Three's Direct Debit on my account. This will be effective on Monday. I will not pay any further bills until this matter is resolved to my satisfaction.

My next step is to contact the number shown on the text. The reason this usually happens on a Friday night is because their "customer services", as well as your operator's customer services are typically closed until Monday. This means that they can bill you AGAIN for next week before you have a chance to dispute it! Therefore, it results in each poor sucker getting billed a minimum of £9. I'll have to wait until Monday before calling that number and demanding a refund.

If I am unable to get a refund from this service, then I will inform my operator, and demand a refund from them. If I am still unable to get a refund from them, then I will tell them that I am leaving them at the end of the month (no contract) and will not be paying the final bill until this matter is resolved.

Finally, as a last resort, I will register a complaint to PhonepayPlus (external link), and prepare to take both Three and TapVids to the small claims court.
I'll probably register a complaint about TapVids to PhonepayPlus anyway purely for abusing the (let's face it, horrifically flawed) PayForIt system.

I checked out the shortcode number on PhonepayPlus.



Notice how this service has only been active for less than a month. Are these kinds of services set up and operated until PhonepayPlus closes them down (which probably doesn't take very long), and then a fresh one is set up? Additionally, it states that the service is currently operating.
Why doesn't the STOP shortcode work then?

This is so out of order, if I went to a supermarket, bought my goods and paid, then noticed items on the receipt which I had not bought, but still had paid for, I'd dispute it immediately and would most likely get a refund. Here, they're not making it easy.

----- THE NEXT DAY -----​

People think I'm visiting "shady websites". What exactly constitutes a shady site? The website I was visiting was a technology news blog which I frequently visit on my PC (although we have a commercial web filtering proxy which is very good at blocking adverts). Again, I can't link the website in question as per forum rules.

On my BlackBerry, I scroll down the page, suddenly an advert fills the page and opens 3 additional popup windows. I quickly close them all, and 5 minutes later, I receive the text message shown at the top of this thread.

I've now installed the latest Firefox APK directly from Firefox, which seems to work, but does not run very well on my BlackBerry. I also installed the AdBlockPlus extension along with it. Hopefully this will reduce the chances of it happening again.

I called Three's customer services. They tried everything they could to get the charges cancelled, but were unable to do so. I have now given 30 days notice to terminate my plan with them. They were not happy about this, and offered to change my phone number. While this would stop any further charges from this specific service, it'll probably still happen again, but with a different fraudulant service. With this in mind, I declined and asked to leave the them. I also requested to initiate a formal complaint against them.

I will be calling TapVids on Monday in a three-way call with Three to demand a refund from them. Failing that then I will immediately terminate my operator's direct debit on my account, and only pay the final bill amount excluding the fraudulant charges. They can chase me for £4.50 - £9 if they like. They're not getting it.

Regardless of the outcome, I will also raise a formal complaint with PhonepayPlus, the regulator of UK premium phone services, and inform them that TapVids are abusing the PayForIt system.

My last resort is legal action aginst TapVids for billing me for a service which I didn't want, nor ask for, and also against Three for not providing adequate safeguards to stop this from happening, despite claiming that they would do so.

If anybody else here has been caught by this, please - DO NOT SUFFER IN SILENCE, fight these crooks, as well as your operator and share your experiences here.

- Capt. Jack Sparrow.

 

[EvanDavis]

People think I'm visiting "shady websites".

I think that is people general response when somebody gets scammed or malware / virus. My brother for years wouldn't install an AV on his PC because he didn't visit shady websites.

 

[Captain Jack Sparrow]

I think that is people general response when somebody gets scammed or malware / virus. My brother for years wouldn't install an AV on his PC because he didn't visit shady websites.

And I bet he still got infected eventually.

You'll have to trust me on this one. I'm not actually aware of any type of mobile malware which can infect the BlackBerry 10 OS. Its user base is so small, it wouldn't be worth programming any. Most mobile malware targets Android devices and jailbroken iPhones.

This was done completely out of the blue from within the browser, and is fully automated. There was no way to stop it, besides closing the popups quickly, but I guess I wasn't quick enough.

- Capt. Jack Sparrow.

 

[Ian]

That's pretty scary - I'm going to be very interested to see what happens when other people start googling for the problem and come across this scam thread. I hope not too many people have been caught out, but if it managed to get you then I guess it can happen to anyone.

Keep us posted on what they say on Monday! Fingers crossed for you .

 

[Becky]

That's awful, sorry to hear this happened to you Makes me wonder how many other people have been unwilling victims...

I hope you manage to get your money back.

 

[bootneck02]

Thanks for the heads up Captain Jack, and that you get your dosh back

 

[Taffycat]

@Captain Jack Sparrow - I was just wondering whether you have thought of contacting Action Fraud: http://www.actionfraud.police.uk/ who are, as you may already know, the UK's National Fraud and Cyber Crime Reporting Centre. A person writing on the Money Saving Expert forums, (linky) managed to get a refund, after reporting a very similar scam to them.

Just a thought, in case you need to take matters a little further. But good luck with your phone-meeting tomorrow.

 

[Becky]

Good idea @Taffycat

 

[Captain Jack Sparrow]

@Captain Jack Sparrow - I was just wondering whether you have thought of contacting Action Fraud: http://www.actionfraud.police.uk/ who are, as you may already know, the UK's National Fraud and Cyber Crime Reporting Centre. A person writing on the Money Saving Expert forums, (linky) managed to get a refund, after reporting a very similar scam to them.

Thanks, I've just reported it anyway to them regardless of the outcome. Will see how it goes tomorrow with Three and TapVids.

I'm actually worried that Three may now refuse to help me any further now that I've given them the 30 days notice to terminate my plan... perhaps I should have done that after this was sorted!

- Capt. Jack Sparrow.

 

[Captain Jack Sparrow]

That's pretty scary - I'm going to be very interested to see what happens when other people start googling for the problem and come across this scam thread. I hope not too many people have been caught out, but if it managed to get you then I guess it can happen to anyone.

Ian, it pains me to write this, but a quick Google Search for "PayForIt" scam reveals that this has happened to a large amount of people, based on the amount of similar forum discussions returned, in some instances, going all the way back to 2007!

- Capt. Jack Sparrow.

 

[Captain Jack Sparrow]

Here's some information from my operator's website about the PayforIT mobile payment system. I have edited this in a satirical manner to make it more truthful.

PayforIT

PayforIT

PayforIT is the safest most insecure way to buy products and services through your phone. PayforIT makes sure you don't know what you're buying, who you're buying from and how much it'll cost, until after you have PaidforIT.

PayforIT has been created by all the mobile phone companies and uses accredited Service Providers cowboys who manage the payments. It's the quickest and most insecure way to buy products or services between 1p and £10 from other companies’ websites on your phone.

PayforIT is (at least) a two-step fully automated process. On the first screen, you'll see the item's name, its cost, the name of the provider and any other relevant information, along with a buy button. On the second screen you'll be asked to confirm that you want to make the purchase. You won't actually see any of these screens, the purchase will be automatically completed, regardless of whether you wanted it to or not. You might not even be aware that the purchase has taken place until after you have been charged.

----- END OF SATIRE -----​

On a serious note, when using PayforIT, you're supposed to see two payment confirmation screens (which of course, are not served over HTTPS):
(Images from Three's website)



And if you choose to continue and press the confirm button, you'll see a payment received confirmation screen:



This is how PayforIT would ideally be used. But notice how no authorization nor authentication actually takes place, other than clicking a green confirm button. This action is not traceable, so you cannot tell the difference between a user manually activating this button by clicking or tapping it, or a script automatically activating the button on behalf of the user.

As the connection is not secured via HTTPS, it is possible to modify the page easily. You could CSS poison the confirm button to make it look like a blank page, which is clickable anywhere. In this case, clicking or tapping anywhere on the page will activate the confirm button, resulting in a charge. Or you could overlay other webpage elements above this confirmation screen (such as also making it look like a blank page), and use a little Javascript to automatically activate the confirm button. Here, a charge will take place simply for opening this webpage.

Congratulations! You've successfully performed a "get rich quick" scam! If it really is that easy, perhaps I should set up something like this and sell text-tone style recordings of me saying various phrases...

You'll hear back from me later today about how it goes with the operator, and the scam "company".

- Capt. Jack Sparrow.

 

[Captain Jack Sparrow]

Monday's update...

Three, my network operator, have now U-turned on their promise to help me deal with the company making the charges. I now have to deal with the company directly. Three have presumably done this because I have given 30 days notice to leave the operator. Perhaps I should have done that after this was sorted.

I called the number on the original text I received, and spoke to a reasonably well spoken woman. The company identified themselves as txtNation. I was able to get them to forcibly unsubscribe me from the TapVids service.
However, txtNation are a billing company, and don't actually provide the TapVids service. They told me that they cannot directly process a refund, and must pass this onto the TapVids service who will contact me within two working days. I don't have much faith in that to be honest.

Here are more screenshots of the text messages I received from Three, PayforIT and txtNation's customer services...



Notice how the 64055 STOP shortcode is active but did not accept any STOP commands.
Also, the screenshots show that the subscription via PayforIT was not actually cancelled until 17:17 today, although I received confirmation from txtNation that it was cancelled at 14:18!
Finally, Three are "sorry that you've decided to leave" but are not making any attempt to keep from leaving them. I don't want to leave Three, and it's going to be very difficult to find a new provider who can offer what Three can.

One of the screenshots posted mentions the TapVids website, the one which I was apparently subscribed to. I didn't censor the web link in the screenshot, so please be careful if you decide to visit the site.
DO NOT OPEN THE TAPVIDS WEBSITE VIA A MOBILE DATA CONNECTION!
If you do so anyway, YOU WILL BE CHARGED. Ensure that you are connected to a fixed line broadband connection if you want to investigate this website. NEITHER ME NOR PC REVIEW WILL BE RESPONSIBLE FOR ANY CHARGES.

I've found that the TapVids website is legitimate, and actually does what it says for £4.50 per week. However, I discovered that you don't actually need to subscribe to them to view the videos that they offer. The videos have most likely been leeched from YouTube.

The following screenshots and analysis were performed by visiting TapVids using a fixed line broadband connection, which cannot be billed via PayforIT.

Note that these are just screenshots, no click & subscribe scamming on the forums!



At first glance, TapVids appears to be just your run-of-the-mill premium rate video service subscription. The numbers shown here do coincide with information in the text messages that I received.

Next, I take a look at their Terms & Conditions.

Looks like they've covered their backs pretty well when it comes to the legal lingo.
Let's click on the TapVids logo at the top to go back to the home page...

Wait - what's that? I'm apparently a member now, just for reading the Terms and Conditions? Hah, yeah right!



And sure enough, this lets me completely bypass the subscription paywall, I can now use the TapVids service as if I was actively subscribed to the service (which I am obviously not on this fixed line broadband connection).

The first of the three screenshots above shows the page I was directed to after clicking on the TapVids logo. As you can see, the video categories are very limited.
The next screenshot shows the type of videos in a certain category. I will admit, I've never seen any of these videos, but that's probably because I have not been keeping up with the latest viral videos as of recent.
And finally, the last screenshot is from a video which was playing, just to show that the site actually does work.

So maybe this isn't totally a scam. However, the method in which my phone number was subscribed to the service was not ethical.
Also, if you're gonna setup a website which has a subscription paywall, for the love of god, do it properly. If I could bypass the subscription paywall entirely just by adding "/member.php" to the address bar then everyone else can, and you're doing it wrong. There is no active user session checking, which is why this works.

It seems that the TapVids website has been quickly knocked together and although it does what it claims, the overly simplistic design and the paywall bypass method makes the site seem so amateur-like.

I feel sorry for people who have actually been tricked by this, and believe they have to pay £4.50 per week to get the latest viral videos when a quick search on YouTube would find them for free.

Time will tell whether txtNation actually call me back to discuss a refund. I'm not banking on it though. Will update this again in a couple of days.

- Capt. Jack Sparrow.

 

[Hiheho]

Hey Captain Jack Sparrow,

Unfortunately I have been forcefully subscribed unto the service as well. I'm usually browsing on the Internet via personal hotspot (Three) as my computer has a poor connection to the wifi at my place.

It's been on my nerve that this scam has charged me £4.50. I've send a STOP message to the short code 64055 and received the message that I have been unsubscribed. It seems rather hard to trust these numbers as it is unknown who is running it and actually taking their word for it.

From what you've posted, it seems the best way would be calling the number on the receipt (Txtnation?) and get them forcibly remove you from the subscription. I'll give them a call tomorrow and do just that. I'm really clueless at the moment so some headers would be great! Many thanks.

I'll keep you posted.

 

[V_R]

What a shady way to operate. I've never heard of this site / scam before but will keep a watchful eye on my browsing.

Jack: What site was it that got you into this mess at the start, you don't have to post direct link up but I'd be interested to know.

As for Three, well lets just say leaving them was the best thing I ever did. The only positive thing about them was the £13 a month for AYCE data (SIM only), when they pulled all their AYCE plans and told me that I'd have to pay £30 if I wanted the same plan I jumped ship to EE, £20 a month gets me 16GB (was a special at the time - its £34 usually) and a much much more superior network with actually usable 4G speeds! I'm happy.

 

[Becky]

Sorry to hear that Three aren't helping any more, I really hope that txtNation gets back to you. I'll second what @V_R says about EE, it's a good provider and the people in the phone shops focus on customer service rather than being sales-driven which makes a huge difference!

@Hiheho sorry to hear this happened to you as well! Good luck with getting it resolved and welcome to the forum

 

[V_R]

I've stuck this thread for now for added visibility, as I have a feeling this kind of thing is going to become more and more of an issue.

 

[Hiheho]

I've called Txtnation and got them to unsubscribe me to any subscriptions which I might have, though I have yet to get the confirmation from PayForIt. I've called Three and they've also arranged a three-way call to TapVids that's been charging me. No surprise, the number says its operating 9-5 Monday to Friday but nobody's on the line. I made a fuss about it and Three agreed to refund me the amount of £4.50 on my next bill.

Hopefully that would be the end of this nightmare. And no more surprise bills next week.

I'll file a legal complaint as well as these scams shouldn't have happened anymore. Keep you updated.

 

[V_R]

So both you guys are on the Three network. Time to dig out my tin foil hat....

 

[Captain Jack Sparrow]

I've called Txtnation and got them to unsubscribe me to any subscriptions which I might have, though I have yet to get the confirmation from PayForIt. I've called Three and they've also arranged a three-way call to TapVids that's been charging me. No surprise, the number says its operating 9-5 Monday to Friday but nobody's on the line. I made a fuss about it and Three agreed to refund me the amount of £4.50 on my next bill.

Hopefully that would be the end of this nightmare. And no more surprise bills next week.

I'll file a legal complaint as well as these scams shouldn't have happened anymore. Keep you updated.

@Hiheho You got lucky with them. Three are refusing to refund, or even to help me dispute this charge. Even though Three refunded you, I'd still like you to give PhonepayPlus a call and raise a complaint against Tapvids/Txtnation/64055 shortcode. The more people who report them, the more likely they are to get investigated by PhonepayPlus, hence the more likely they'll get fined, and ordered to refund unsolicited charges.

Jack: What site was it that got you into this mess at the start, you don't have to post direct link up but I'd be interested to know.

@V_R, It was a wordpress music blog, cannot remember the name of it now, but I've since cleared the history. When scrolling down the page, an advert came into view, which then redirected to https://bc.vc/, a link shortener. This is a legitimate service but it uses ads to get revenue, and pay clients with. Then 3 popups appeared, which I closed quickly. But one of them must have had the malicious code in them which caused the charge.

So both you guys are on the Three network. Time to dig out my tin foil hat....

I've been with Three for 6 years. Purely because of unlimited data and fast 3G/4G download speed. I average 40GB-60GB of data in a month. My highest data usage ever recorded was about 800GB in a month, Three told me that I need to tone it down. I thought it was unlimited... right?!

Three did hike the price of unlimited data earlier in the year, my £13 plan increased to £20.

It's gonna kill me to find a new provider who can match this. AFAIK, GiffGaff is the only other UK operator who does offer unlimited data, also for £20 a month, but they'll throttle you after 6GB.

I'm going on holiday to the Canary Islands next week, which is why I was so desperate to get this sorted, and the fact that I am still having to deal with this is gonna ruin the holiday entirely and it'll also be very hard to call Three/Txtnation from there without incurring roaming charges. Not sure if it'll be covered with Three "Feel at Home" but will try nonetheless.

- Capt. Jack Sparrow.

 

[Becky]

Wow, 800GB! I have used GiffGaff in the past and they were pretty good, but my data usage was relatively low. Time to start making more use of WiFi!