While browsing Facebook on my iPhone this weekend, I noticed that a friend of mine had used an image sharing website to share a particularly amusing graphic that was worth closer inspection. I tapped on the picture, expecting a full-screen version and instead was greeted with a very targeted, very aggressive money-making scam. My web browser was redirected to a website which filled my screen with a pop-up informing me that I had come first place in a United Kingdom (Apple) prize draw. With only the “OK” button available, I was obliged to continue…
The next screen informed me very explicitly that my Apple phone number was chosen at random and that I was eligible for 1 of 4 prizes; a MacBook Air, an Amazon Kindle Touch, an iPhone 4S or an iPad 2. To add credibility, the page also displayed “ 5 of 110 comments” from previous lucky recipients. Now, I’m sure Marcus, Alex and Sue are all lovely people, but I’m not entirely convinced that they have any real independent biological existence.
I chose the iPad 2 (it was the only prize still left in stock apparently) and my prize was immediately “reserved”, all I had to do was answer a final qualifying question…
I was redirected to a quiz service run by an organization going by the name of Quizir. The initial screen asked me a very simple question. It was only if I scrolled the screen down that I noticed a long paragraph of small print informing me that I would be paying £3 GBP to join the quiz and a further £3 GBP for every question I answered. Hm, maybe I haven’t won after all. The T & C’s also informed me that I would simply only be eligible for selection to win, from among all other successful participants. Of course I stopped short of providing them with my mobile phone number as they were requesting.
This whole scheme looked so well targeted and so obviously bogus I decided to do a little digging. It turns out the Quizir are a subsidiary company (along with Crosmo, Djugo and perhaps many others) of RD Media in the Netherlands. I browsed their respective web pages to get more of an idea of the terms and conditions of the competition that was being so clearly abused.
According to the some of the online T& C’s each participant must get a minimum of 5000 points to be eligible for a prize, and each contest must have a minimum of 100 participants for there to be a winner at all. Neither of these conditions is mentioned on the quiz screen on my smartphone. Additionally, there is no mention, on the web or on the phone screens of how these points can be accrued. When I called the customer service number to find out, they were happy to explain. If I can get the SMS response to the recipient organization in under 7 seconds, I get 700 points, for every 5 seconds delay after that, the points won decreases by 100 and if I take longer than 1 minute, I get only 100 points. At £3 GBP per SMS, I could be spending a lot to even be eligible for consideration as a winner!
While the initial targeted misleading pop-up and redirection malvertising does not appear to come from RD Media, the employee I spoke to on the telephone was unable to clarify to me how their affiliate marketing payments worked, indeed I was left distinctly confused about whether they supported affiliate advertising at all. RD Media themselves can not be held blameless either as there are some serious shortcomings in the transparency of their terms and conditions.
Nonetheless, just as we predicted at the beginning of the year, this is further evidence of criminals abusing legitimate services in order to generate income, and further evidence that you don’t need malware or an infected device to become a cyber criminal. Users of all computing platforms need to aware of the threat from highly targeted socially-engineered scams. As we consistently move towards adoption of the mobile device as our main internet and computing platform, cybercriminals and unscrupulous companies will search for ever more convincing ways to defraud us through that medium.
I have sent a list of questions to RD Media and also contacted PhonepayPlus, the premium rate regulator in the UK. If I hear anything back I’ll be sure to update this blog.