MyBroadband has received multiple reports from MTN subscribers in recent months stating they were subscribed to WASP services without their permission.
Investigating one of these reports unearthed a click-jacking attack which subscribed customers to WASP services.
MTN noted that these fraudulent WASP subscriptions are a global problem which occur outside of MTN’s network.
Following this, a test conducted by MyBroadband found that one of our test devices had been subscribed to a Fantasy Football content service without any input from us.
For the test, we loaded a prepaid SIM from each mobile operator with airtime and placed them in Nokia 5 smartphones, monitoring data usage and airtime depletion while they were inactive and connected to Wi-Fi.
Results showed the MTN SIM’s airtime balance decreased by R4.00 in a single day, and continued to fall as the test progressed.
The reason was that the SIM was subscribed to a WASP service – despite the device not receiving any SMS notifications of a WASP subscription and MTN’s main USSD menu stating there were no active content subscriptions.
In its initial response to the test, MTN stated that the number was fraudulently subscribed to the Fantasy Football WASP by a click-jacking attack – while the phone was off.
Click-jacking is defined as a malicious technique which aims to trick website visitors into clicking on a hidden element which could collect private information or subscribe the user to a WASP.
The issue was investigated further and MyBroadband asked MTN for more feedback on the matter – this is what MTN had to say.
How it happened
Firstly, MTN noted that the subscription was initiated on the MTN number through a WAP request sent to one of the company’s billing platforms.
The content was activated by MTN’s programmatic media partner, Mobi Media.
“Unfortunately, part of the traffic being actively pushed to MTN’s programmatic media banners has malicious bots included in the traffic,” MTN SA executive for corporate affairs Jacqui O’Sullivan told MyBroadband.
“These bots mimic the behaviour of customers and have the ability to approve opt in and double opt in through web/WAP.”
O’Sullivan said MTN does not have the ability to check whether this traffic is malicious or legitimate.
She added that MTN has four unique USSD streams – one dedicated to each content platform it operates – and that dialing all the codes would have revealed the WASP subscription.
The four USSD codes are:
MyBroadband also asked MTN for the subscription request logs, how the MSISDN was obtained by the entity issuing the fraudulent request, whether this was a header enrichment-based attack instead of click-jacking, and why an SMS was not sent to the SIM in question upon subscription.
We also asked about the source of the attack.
The mobile operator provided MyBroadband with the Mobi Media log files detailing the subscription request and account creation, along with the publisher ID which filed the request.
The log files reflect a subscription request filed with MTN’s content platform on 26 August 2018.
Noticeably, there is no device ID listed in the request.
This points towards an attack by a bot which acquired the MSISDN of the MTN SIM and then proceeded to spoof it using header enrichment to request a fraudulent subscription to the WASP.
MTN confirmed that header enrichment was used to facilitate the fraudulent subscription.
“The MSISDN was captured in website headers and that’s where a bot used header enrichment to spoof the MSISDN and in the process injected the MSISDN at random,” MTN said.
“There were attempts to deliver the SMS of successful subscription to the MSISDN, however the SMS was not delivered due to the device being unreachable, meaning switched off.”
“The traffic for this subscription has originated from an affiliate called Olimob. MTN only receives publisher ID and are therefore dependent on the ad network,” the company said.
O’Sullivan told MyBroadband that MTN is working hard to unify its content platforms and is implementing various anti-fraud measures.
“The combination of the strict subscription services rules that we have already put in place, with the second wave that will be active at the end of the month, combined with a single content platform will go a long way to putting as much control in the hands of our customers.”
With regards to its programmatic media partners, MTN said it is assessing the security of these platforms and their resilience to attacks.
“MTN is engaging the service provider to assess its current service levels and to decide whether actions are to be taken against the provider,” the company said.
MTN added that it would immediately refund customers in cases where fraudulent subscriptions are identified, and urged users to check the four content service USSD streams regularly.
“If any customer reports a subscription that they did not voluntarily enter into and it is shown to have been web-based, MTN will immediately refund the customer.”