back to article Web ad tried to make my iPhone spaff a premium-rate text, says snapper

A bloke in Scotland reckons a dodgy web advert tried to trick him into sending a text message from his iPhone to a premium-rate number. It's feared more unscrupulous ad networks could use the same technique to trip up Apple fans and rack up larger than expected phone bills. Andrew Smith – an ex-Reg writer, news photographer, …

  1. Joerg

    Jailbroken device maybe ?

    Jailbroken device maybe ?

    1. Anonymous Coward
      Anonymous Coward

      Re: Jailbroken device maybe ?

      "Smith told us his 16GB iPhone 6 Plus is running iOS 8.4, and is not jailbroken."

  2. aaaa

    iOS 8.4.1 update was important

    yep - lots of security bods predicted that the combination of known security exploits (both crash/data execution and execution of unsigned code) would lead to exploits.

    https://support.apple.com/en-au/HT205030

    Of course we can't be sure, but my guess is that the problem is 8.4 specific - but the 8.4.1 release / fix was not out for long before iOS 9 replaced it - and for some of us who don't want to be guinea pigs for a major new release, that's a problem.

  3. Anonymous Coward
    Anonymous Coward

    Weird..

    Normally, iOS blocks access to the SMS subsystem - it requires the user to give permission exactly because Apple did not want anyone to have the ability to send automated premium rate SMS.

    Worth keeping an eye on.

    1. VinceH

      Re: Weird..

      Well it's not actually sending an automated SMS - merely setting up an SMS for the user to send.

      I'd guess there is a mechanism to do this from within web pages for mobile phones - a kind of SMS equivalent to a mailto.

      And a very quick search comes up with:

      Making phone calls and sending SMS with HTML

      That shows how to set up a link that has to be clicked (or tapped) - and seems quite a reasonable thing to want to [be able to] do.

      So presumably what's happened in this case is that the bastard hard done by but generally very trustworthy advertiser has managed to find a way to make the phone think the link has been clicked, with a bit of Javascript or something.

      1. Anonymous Coward
        Anonymous Coward

        Re: Weird..

        Odd though, because I'm pretty sure if click on something in html that wants to text or call a dialog pops up saying in effect "do you wish to ... etc etc", and requires me to press ok to leave safari and continue to phone or iMessage.

      2. albaleo

        Re: Weird..

        "has managed to find a way to make the phone think the link has been clicked, with a bit of Javascript or something"

        That part seems surprisingly easy. There is a Javascript click() command that can be applied to a DOM element. I discovered this recently when trying to implement an export-to-local-file function in a web application. The code I borrowed to do this used the click() function, and I wondered at the time about possible devious uses.

        1. g e

          Re: Weird..

          More like just putting href="sms:0123456789" into an A tag - doesn't work on Android, they don't allow the number to be pre-filled if I remember correctly from trying this (legitimately) a couple of years ago.

      3. MacGyver

        Re: Weird..

        "managed to find a way to make the phone think the link has been clicked, with a bit of Javascript or something"

        Sounds like the first thing that he said happened "the app store opened up", that was probably fake and the exit button was really the "setup SMS message" button.

        On a web browser I never click anywhere on a window that a browser has launched, no close, no "x" no nothing. I just close the process, on a phone we don't really have the option to have the browser close the window as easily available, sounds like the advertiser has figured this out.

  4. Your alien overlord - fear me

    Prize is a compromised iPad, complete with backdoor trojans, keyloggers and control over the webcam.

    Nice.

    1. Anonymous Coward
      Anonymous Coward

      Prize is a compromised iPad, complete with backdoor trojans, keyloggers and control over the webcam.

      Nope. Each resource requires separate permissions, and some facilities (such as sending SMS) have to be acknowledged every single time. If you cannot take that as a hint that something is amiss it is a miracle you actually managed to get past the iPad setup routine in the first place, and you ought to stick to crayons.

      iOS is a total bastard to compromise. It's not impossible, but to do so without raising a lot of red flags means the user must have either rooted it or must have been dead drunk to just say yes to anything that wanted approval. It is *far* from trivial - too many layers to wade through.

      1. BoldMan

        Whoosh!

        Thats the sound of you missing the point of the original post...

  5. Bob Dole (tm)
    Mushroom

    The best and worst features

    Browsers should be completely blocked from being able to communicate with *any* other program on a device. They shouldn't be able to open my text messaging, the app store, youtube, etc.

    One possibility would be for Apple to implement a white list, similar to what they do for location services. I have location services turned off for absolutely everything BUT the find my phone app. In the same vein, I should be able to say "Sorry, but safari is blocked from opening any other application on the device"

    1. Voland's right hand Silver badge

      Re: The best and worst features

      Tell this one to "we live in the browser" HTML5 crowd.

      Do not understand me wrong - I agree with you. A large portion of the rest of the world does not - including Apple itself.

    2. Mark #255

      Re: The best and worst features

      Browsers should be completely blocked from being able to communicate with *any* other program on a device...

      I disagree. mailto, phone numbers and addresses are things that I frequently click on, to open in another app.

      The alarming issue is the apparent programmatic/automatic nature of it.

      As an aside, the messaging app on my Moto G warned me recently that I was about to send a chargeable (out-of-bundle) text message; this is probably the appropriate app to know about these things, rather than the browser.

    3. paulf
      Devil

      Re: The best and worst features

      I mostly agree with you - Safari (and other apps) should be much more limited in the way they can call other apps. All it takes is for a bit of fancy javascript to make Safari think a link has been clicked and off it goes to the App store or somesuch. I know I've opened (mostly reputable) websites and been thrown straight to the App store by an ad, before the page finishes loading, which is utterly wrong, but I disagree that a complete block is suitable as there are times when that integration is useful.

      As I understand it any request in Safari to open the Dialler to call a number pops up a dialogue asking if you're sure you want to call that number. That should be the case in all "other app" calls e.g. "Are you sure you want to view SuperApp in the App store?"

      It doesn't stop PICNIC/ID10T errors clicking through all the dialogues but does give another layer of protection against ads, which it seems are all malicious until proven otherwise!

      Pic = Advertisers.

  6. Dadmin
    Thumb Down

    Advertising: mankind's most useless invention

    Don't get me wrong, chaps, I currently get paid by a so-called online advert agency, so in reality this message is a paid-for advert to block more ads. Advertising is the lowest form of communication, and a worthless waste of untold billions of advert dollars/pounds/rupees/barter-voles. Nothing makes me prouder than teaching the joy of Muting & Diverting to my little one. I 100% of the time mute the sound or switch to another station on video, and just avoid ads altogether, everywhere. It's not that hard. What is advertising anyway? I need to see some asshole with a racist haircut tell me what products I may need or don't know about yet because I'm that fucking stupid? Fuck off, I think I know how to find crap to buy without some cranky twat jiggling her muffins pointing at some product so overpriced that they can afford to buy advertising, rather than make a better product. It's a colossal waste of time and money and if all the lawyers, pedophiles, and advertisers fell into the fucking swamp and become brown time-capsules, fine by me.

    1. Palpy

      Re: Advertising: mankind's most useless invention

      Yes, agreed. Saw a passage in a rather old book that quoted a Chinese man visiting the USA. The gentleman said something like, "I am very interested in your advertisements. In China, the State creates propaganda. Everyone knows it is propaganda, but after many repetitions the message enters the mind. Here, private industry creates propaganda. The message is different, but it is the same thing."

      A few days age I was asked to look over some videos promoting a software "solution" my company is considering. First vid: 5 minutes. Substantive, 10-second message: we can create clickable links in scanned architectural drawings. The rest was puff -- actors telling the camera how much better life was with the software. That was all propaganda.

      Adblockers and NoScript set to "stun", Cap'n.

      1. Blank-Reg
        Megaphone

        Re: Advertising: mankind's most useless invention

        Nice comment, though one slight tweak:

        Adblockers and NoScript set to "stun kill", Cap'n.

      2. Doctor Syntax Silver badge

        Re: Advertising: mankind's most useless invention

        "Adblockers and NoScript set to "stun", Cap'n."

        And don't forget Ghostery.

    2. Aristotles slow and dimwitted horse

      Re: Advertising: mankind's most useless invention

      You know what Dadmins doing? He’s going for that anti-marketing dollar. That’s a good market. He’s very smart. He’s also going for the righteous indignation dollar. That’s a big dollar. A lot of people are feeling that indignation. We’ve done research – huge market. He’s doing a good thing.

      The anger dollar too. Huge. Huge in times of recession. Giant market. Dadmins very bright to do that.

      RIP Bill.

    3. Havin_it
      Pint

      Re: Advertising: mankind's most useless invention

      @Dadmin

      Beauty of a rant there mate, but serious question: how does one define a "racist haircut"? Could you point me towards any examples?

      @Aristotles...

      Beat me to it ;)

  7. Stevie

    Bah!

    El Reg cannot claim any high ground here. This morning the Reg App added an annoying persistent animated banner ad to the list of resons to never use it.

    1. Steven Roper

      Re: Bah!

      Yes, but El Reg must know their tech-savvy userbase contains a much higher percentage of ad-blocker users than most news sites. Yet they don't discourage or block said ad-blocker users; rather, they tacitly encourage them. Despite doing so, El Reg manages to make enough money to pay their staff by convincing advertisers - who, given the industry they're in, should also be aware of this - to buy adverts they know very few will ever see. Pretty clever of them actually!

      1. Doctor Syntax Silver badge

        Re: Bah!

        " El Reg manages to make enough money to pay their staff by convincing advertisers ... to buy adverts they know very few will ever see."

        It's cleverer than that. Because we block the ads we don't get so pissed off with them that we actively avoid the product.

      2. Stevie

        Re: ad blocker

        Fair enough. Now how do I get the other fucktard design issues with it sorted?

  8. Anonymous Coward
    Anonymous Coward

    Loaf of bread

    Someome tried to charge me 2 quid for a loaf of bread.

    Stuff that I cried, taking the bread and leaving without paying. £2. Daylight robbery it was.

    And it was full of ads, E-numbers!

    1. Steven Roper

      Re: Loaf of bread

      And how much were you paid to post that steaming pile of shite, AC?

      Filtering adverts has about as much in common with stealing bread as taking a dump has to do with driving a car.

      1. Mitoo Bobsworth

        Re: Loaf of bread

        @Steven Roper

        You've obviously never driven a Prius, then.

        1. Steven Roper
          Coffee/keyboard

          Re: Loaf of bread

          @ Mitoo Bobsworth

          Ba-dum-tish!

          New keyboard, please!

  9. J.G.Harston Silver badge

    This has been around ever since mailto:recipient?subject=subject%20line&body=message%20body

  10. Anonymous Coward
    Anonymous Coward

    What!

    No animated monkeys to hit?

    Swizz

  11. Anonymous Coward
    Anonymous Coward

    Bill Hicks had the right idea about advertisers

    https://youtu.be/aMN8REGJXaA

    1. Anonymous Coward
      Anonymous Coward

      Re: Bill Hicks had the right idea about advertisers

      In my list of people for the chop come the 'revolution', Ad Execs are on my list not far behind Lawyers and Politicians (those who are both are at the head of the queue).

      Yes I know it will never happen but one can't stop dreaming of a better world now can one eh?

      1. Rol

        Re: Bill Hicks had the right idea about advertisers

        There really is no point whining on about a better future if no one has bothered to define better, so having the idea all ad execs and the rest of the "devil's lil' helpers" should "suck a tailpipe" is much more than a dream. It's a practical solution and gateway to getting more utility out of breathing than you ever thought possible.

        What if we had a Bill Day, where Ad people are encouraged to kill themselves?

        We could have a huge zirconium plinth to honour all those that had given their lives so that we may live.

  12. Anonymous Coward
    Anonymous Coward

    Anyone fancy doing some digging on the scammers?

    Googling the phone number produces lots of reports of other scams from the same people, mainly from links on Facebook. People reporting that they clicked on a link, and got charged £8 for "entering a competition". And PhonePayPlus refused to take an interest.

    Anyone know anyone who could dig into this company a bit more? Might be nice to know who they are.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like