Original URL: https://www.theregister.com/2013/07/03/phonepayplus_ransomware_investigation/

Regulator sniffs mobile services bods: 'Something's off. Hand me the probe'

PhonepayPlus says there's 'evidence' of ransomware-style marketing

By John Leyden

Posted in Networks, 3rd July 2013 14:32 GMT

UK premium rate regulator PhonepayPlus has launched an investigation into five mobile phone subscription services after it said that evidence had emerged that each had been marketed though ransomware-style browser lock-in tactics.

Bafona Ltd’s Zovut subscription service, which costs £4.50 per week, is billed as a chance to compete for top-end Apple kit including iPad3 and iPhone5 by taking part in a quiz. Online marketing affiliates involved in the scheme allegedly used malware to "force them to interact" with the Zovut subscription service, according to PhonepayPlus.

In a statement, PhonepayPlus said it had suspended the Zovut subscription service pending an emergency investigation into the issue, which emerged as a problem through its internal monitoring rather than through complaints from UK consumers.

PhonepayPlus, the UK regulator for premium rate telephone services, has launched an Emergency procedure investigation under paragraph 4.5 of its Code of Practice (Twelfth Edition) (the Code), following internal monitoring conducted by PhonepayPlus.

This monitoring evidenced affiliate marketing that appeared to utilise a form of malware known as ransomware to lock consumers’ internet browsers and force them to interact with online offers which directed them to the Level 2 provider, Bafona Ltd’s “Zovut” subscription service(s).

Bafona Ltd has been identified as the Level 2 provider responsible for the service. A Tribunal will decide whether the service is in breach of the Code as soon as is reasonably possible after PhonepayPlus has received a response from the Level 2 provider to its Emergency procedure breach notice, which is to be sent to Bafona Ltd in due course. The service has now been suspended pending conclusion of the investigation and a decision by the Tribunal.

In the meantime, other providers are reminded that enabling this service, or any other services that operate in a similar way, may result in breaches being raised against them.

Four other services are all being investigated for allegedly using similarly illicit ransomware tactics. Each has been suspended pending an emergency probe. The four other suspended subscription services are R&D Media Europe’s "zemgoogs", Jesta Digital GmbH’s "gamester", Gico Europe LLP’s "triviato" and Bitstacker Limited’s "lottobytext".

Ransomware refers to a form of malware that typically locks up systems and accuses the user of some fictitious crime, from distributing music or films on file-sharing networks to circulating child-abuse images. Strains of ransomware Trojans, such as Reveton, often feature police logos to make extortionate demands look more plausible. Victims are typically coerced into coughing up a "fine" of about £100 using untraceable cash vouchers in order to obtain codes to unlock their computers.

When El Reg asked the regulator how the offending behaviour would have presented itself to consumers of premium rate subscription services, it said: "We are still conducting our investigation so it would be inappropriate to comment beyond what we have already released."

Chris Boyd, a senior threat researcher at ThreatTrack Security, said the anti-malware firm had not come across any samples related to the alleged scams highlighted by PhonepayPlus as yet. Boyd was however able to explain the likely scenario behind the alleged scams.

"Although we've had no direct contact with the ransomware mentioned, it sounds like a piece of DIY ransomware where the PC is locked and displays offers and surveys in a window that hijacks the desktop (displaying content loaded from the scammers website), instead of the usual "Pay $200 to unlock your computer and recover your files," Bod explained.

"There are many building tools out there which would allow someone to make a piece of ransomware similar to the one mentioned, and as surveys often display everything from iPad offers and shopping vouchers to mobile subscription services and ringtone deals, it seems likely this could be the scenario described in the [PhonepayPlus] release."

Last December, ThreatTrack Security blogged about an apparently unrelated strain of DIY ransomware that locks up infected PCs with survey offers. ®