How Megaphone slept on mobile subscriptions

    Discussion of telecom operators in Telegram tg.guru/opsosru

    For a long time, stories about paid mobile subscriptions on IoT devices have been circulating like jokes.


    With Pikabu

    Everyone understands that without the actions of mobile operators, these subscriptions are not complete.

    But mobile operators stubbornly argue that these are suckers: the


    original

    For many years I have never picked up this infection and even thought that people get this way because of their computer illiteracy. But I was mistaken ...

    Recently, having shared the Internet from Megafon, I sat and worked quietly at the computer until when I clicked on the next link in Google there was a redirect


    and this window appeared



    to me. Of course, I was overcome by professional interest.

    I immediately realized that this is it! The very thing that they write about so often and are now trying to get me out of money.

    Fine gray text box
    The site contains materials in the following sections: audio jokes, videos, pictures, music, congratulations, useful articles, recipes, tips, interpretation of names, quotes and aphorisms, weather forecast.

    But it does not say anything about paid subscriptions ...

    Since I have 0 rubles on my phone and I don’t have any “Credits of trust”, I clicked the “Continue” button.

    A redirect to another page has occurred. The design is very similar to the first.



    An ordinary person will not focus on this and will think that the content remains the same.
    But the gray, barely noticeable text is completely different:
    By clicking on the “Continue” button, you confirm your agreement with the connection of the vsewap.ru subscription and the Subscription Terms. Subscription price 35.0 rub. including VAT for 1 day. Payment is made from the main account. The service is provided by the content provider LLC Informpartner.
    I continue the experiment and click "Continue." And an SMS arrives ... the


    subscription is complete! Of course, I immediately turned it off.

    As most people think in such cases, that I probably have a virus on my computer and he redirected me to the site of the content provider.

    But in this case, it is Megafon that makes the redirect using the same technology that redirects you in case of any Internet restrictions or wap-click is applied. Unfortunately, I can’t say more precisely.



    Corporate users also encounter such redirects:



    I’m looking for a place where the “legs” grow:


    I’m checking who owns the domain the site on which he wants to “breed” me:



    How unexpected! The domain belongs to Megaphone!
    And it is a coincidence that the web server ip also belongs to Megaphone

    nslookup truvpro.ru
    Name: truvpro.ru
    Address: 31.173.34.227
    Name: truvpro.ru
    Address: 31.173.34.226
    inetnum:        31.173.32.0 - 31.173.39.255
    netname:        MF-MOSCOW-BBA-POOL-31-173-32
    descr:          Moscow Branch of OJSC MegaFon
    role:           Moscow Branch of PJSC MegaFon Internet Center

    It can be assumed that one of Megafon’s clients is engaged in fraud and simply substitutes an honest operator.

    We’re checking a site that allows you to manage subscriptions of all content providers known to Megaphone moy-m-portal.ru

    He also belongs to a megaphone.
    whois my-m-portal.ru
    % By submitting a query to RIPN's Whois Service
    % you agree to abide by the following terms of use:
    % www.ripn.net/about/servpol.html#3.2 (in Russian)
    % www. ripn.net/about/en/servpol.html#3.2 (in English).

    domain: MOY-M-PORTAL.RU
    nserver: ns1.misp.ru.
    nserver: ns2.misp.ru.
    state: REGISTERED, DELEGATED, VERIFIED
    org: North-West Branch of PJSC MegaFon
    registrar: RU-CENTER-RU
    admin-contact: www.nic.ru/whois
    created: 2016-04-07T15: 00: 38Z
    paid-till : 2020-04-07T15: 00: 38Z
    free-date: 2020-05-08
    source: TCI

    Last updated on 2019-04-18T11: 31: 32Z
    And it is also located on the same ip as the scam site!
    nslookup moy-m-portal.ru

    Name: moy-m-portal.ru
    Address: 31.173.34.227
    Name: moy-m-portal.ru
    Address: 31.173.34.226

    Suppose an operator uses a Citrix Netscaler class balancer, which, for example, substitutes a subscriber ID to identify it.
    We look at what other domains were seen at these addresses:

    dnslytics.com/reverse-ip/31.173.34.226
    dnslytics.com/reverse-ip/31.173.34.227
    And there are only 19 of them!
    arusav.ru
    dmvasor.ru
    mfprovas.ru
    moy-m-portal.ru
    mvpvas.ru
    podpiskimf.ru
    ppmprop.ru
    pravvopros.ru
    promfvas.ru
    propodpiski.ru
    propodpiskimf.ru
    proprovas.ru
    ropovasru.ru
    savorpm.ru
    truvpro.ru
    vasmfpro .ru
    vasmpro.ru
    vaspromf.ru
    vasprovp.ru

    Something is too liquid for expensive equipment ...

    Most of them were registered in March 2019 ("created: 2019-03-20")

    By accessing any of them, Google Chrome says that money can be stolen from you:



    That is, all domains belonging to Megaphone, Seen in fraudulent activities with paid subscriptions!

    And we well remember that under Russian law (the situation with the creator of Kate Mobile ), the owner of the IP is responsible for actions performed from a specific ip. And here the domain owner also coincides ...

    I decided to look at the sites Megafon subscribes to (from the list posted here: moy-m-portal.ru ). Of course, not all, but with the blessing of the great Random.

    Sites that caught my eye
    zvoook.com
    Creation Date: 2019-02-18T07: 32: 00Z
    Registrant Name: Protection of Private Person
    Registrar: Registrar of domain names REG.RU LLC

    yottupe.com
    Creation Date: 2019-04-08T17: 47: 46Z
    Registrant Name: Protection of Private Person
    registrar: REGRU-RU

    futod.space
    Creation Date: 2019-03-26T23: 01: 18.0Z
    Registrant Organization: Privacy Protection
    registrar: REGRU-RU

    vkusnopoedim.com
    Creation Date: 2019-03-21T11: 52: 58Z
    Registrar: Registrar of domain names REG.RU LLC
    Registrant Name: Protection of Private Person

    zavcev.com
    Creation Date: 2019-02-18T10: 33: 48Z
    Registrar: Registrar of domain names REG.RU LLC
    Registrant Name: Protection of Private Person

    MUSICA-YONTUBE.COM
    Creation Date: 2019-03-11T12: 41: 40Z
    Registrar: REGISTRAR OF DOMAIN NAMES REG.RU LLC

    files-zilla.com
    Creation Date: 2019-02-18T10: 33: 14Z
    Registrar: Registrar of domain names REG.RU LLC
    Registrant Name: Protection of Private Person


    Total:

    1. All of them are registered with the registrar REG.RU
    2. Everyone has an owner organization
    3. They are all fresh. More precisely, new ones appear with enviable regularity. (you can even track the chronology).

    On all sites in the footer as a template the same text
    Subscription access costs 35 rubles including VAT per day for MegaFon PJSC subscribers; for a one-time payment - 150 rubles (including VAT) for 30 days for MegaFon PJSC subscribers; Subscription access renewal is automatic. To refuse to provide a Subscription to the service, send an SMS message with the word STOP <space> 113 to 5151 for MegaFon PJSC subscribers. Messaging is free in the home region. Technical Support Service, LLC “Informpartner”: 8 800 500-25-43 (free call), e-mail: helpdesk@informpartner.com

    And the offer is the same everywhere vk-vid.com/site/offer

    Well, it cannot be that hundreds of sites are created only for the subscribers of Megaphone! And if a Beeline client wants to receive this content? ..

    Too many coincidences ...

    Recently, if a subscriber complains about technical support because they have been charged off money for a left subscription, then they will return this money to him.

    So, if money were transferred to left content providers, the mobile operator would not give money out of pocket to the subscriber! The megaphone is afraid that if mass complaints to law enforcement agencies begin, then sooner or later such actions will be qualified under 159 of the Criminal Code of the Russian Federation. And there will be no Infopartner LLC in this chain! It’s cheaper to shut up the indignant at the very beginning.

    Installing all kinds of protection against subscriptions on Megaphone does not help

    .

    In the comments, they also confirmed that Megaphone puts a bolt on the prohibitions.

    Thus, Megafon does not even try to hide the fact that they are tricking them into subscribing to expensive shit content ...

    200,000 people will sign up for a 35 rubles mailing list. 100,000 will be outraged and they will return the money to their account. With the remaining 3.5 lem per day to the company's budget ...

    In this case, I studied the behavior of one telecom operator - Megafon . But, judging by the reviews, all the operators of the Russian Federation (except YotaRussia ) are hunting this way .

    Having visited the specialized hosting site for such sites, we will see in partners those whom we know and “love”

    nslookup zvoook.com
    Name: zvoook.com
    Address: 78.140.175.32
    Name: zvoook.com
    Address: 78.140.175.19

    nslookup 78.140.175.19

    19.175.140.78.in-addr.arpa name = webwap.org.

    image

    It turns out that this is an organized criminal community engaged in fraud on a large scale?

    PS: This article is aggregated from my two to Picabu: One and Two .

    Also popular now: