For a long time, stories about paid mobile subscriptions on IoT devices have been circulating as not funny jokes.
Everyone understands that these subscriptions are not complete without the actions of mobile operators.
But mobile operators stubbornly claim that these subscribers are suckers:
For many years I have never picked up this infection and even thought that people get this way because of their computer illiteracy. But I was wrong...
Recently, having shared the Internet from Megafon, I sat and quietly worked at the computer until, when I clicked on the next link in Google, a redirect occurred
and I got this window
Of course, I was overcome by professional interest.
I immediately knew what it was! The very thing that is so often written about and now they will try to swindle me for money.
Small gray window textThe site contains materials in the following sections: audio jokes, videos, pictures, music, congratulations, useful articles, recipes, tips, interpretation of surnames, quotes and aphorisms, weather forecast.
But it doesn't say anything about paid subscriptions...
Since I have 0 rubles on the account of this phone and there are no βCredits of Trustβ, I clicked the βContinueβ button.
There was a redirect to another page. The layout is very similar to the first one.
An ordinary person will not focus on this and will think that the content has remained the same.
But the gray, barely visible text is completely different:
By clicking on the "Continue" button, you confirm your agreement with the connection of the vsewap.ru subscription and the Subscription Terms. Subscription price 35.0 rub. including VAT for 1 day. Payment is made from the main account. The service is provided by Content Provider OOO Informpartner.
I continue the experiment and click "Continue". And SMS arrives ...
subscription completed! Of course, I immediately turned it off.
As most people think in such cases, I probably have a virus on my computer and it redirected me to the content provider's website.
But in this case, it is Megafon that redirects using the same technology that redirects you in case of any Internet restrictions or wap-click is used. Unfortunately, I can't say for sure.
Corporate users also face such redirects:
I'm looking for a place where "legs" grow from:
I check who owns the domain, the site on which he wants to βdivorceβ me:
How unexpected! The domain belongs to Megafon!
And such a coincidence that the ip of the web server also belongs to Megafon
nslookup truvpro.ru
Name: truvpro.ru
Address: 31.173.34.227
Name: truvpro.ru
Address: 31.173.34.226
inetnum: 31.173.32.0 - 31.173.39.255
netname: MF-MOSCOW-BBA-POOL-31-173-32
descr: Moscow Branch of OJSC MegaFon
role: Moscow Branch of PJSC <b>MegaFon Internet Center</b>It can be assumed that one of Megafon's clients is engaged in fraud and simply substitutes an honest operator.
We verify the site that allows you to manage the subscriptions of all content providers known to Megafon
It also belongs to the megaphone whois my-m-portal.ru
% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% (in English)
% (in English).
domain: MOY-M-PORTAL.RU
nserver: ns1.misp.ru.
nserver: ns2.misp.ru.
state: REGISTERED, DELEGATED, VERIFIED
org: North-West Branch of PJSC "MegaFon"
registrar: RU-CENTER-RU
admin-contact:
created: 2016-04-07T15:00:38Z
paid-till: 2020-04-07T15:00:38Z
free-date: 2020-05-08
source: TCI
Last updated on 2019-04-18T11: 31: 32ZAnd it is also located on the same ip as the site of the scammers! nslookup my-m-portal.ru
Name: my-m-portal.ru
Address: 31.173.34.227
Name: my-m-portal.ru
Address: 31.173.34.226
Let's assume that the operator uses a balancer of the Citrix Netscaler class, which, for example, substitutes the subscriber ID to identify it.
Let's see what other domains were seen at these addresses:
And there are only 19 of them!www.arusav.ru
dmvasor.ru
mfprovas.ru
my-m-portal.ru
mvpvas.ru
podpiskimf.ru
ppmprop.ru
pravvopros.ru
promfvas.ru
propodpiski.ru
propodpiskimf.ru
proprovas.ru
ropovasru.ru
saverpm.ru
truvpro.ru
vasmfpro.ru
vasmpro.ru
vaspromf.ru
vasprovp.ru
Something too liquid for expensive equipment ...
Most registered in March 2019 ("created: 2019-03-20")
Going to any of them, Google Chrome reports that money can be stolen from you:
That is, all domains belonging to Megafon are seen in fraudulent actions with paid subscriptions!
And we remember well that according to Russian law () the owner of the IP is responsible for actions taken from a specific ip. And then the owner of the domain also coincides ...
I decided to look at the sites that Megafon subscribes to (from the list posted here: ). Of course, not all, but with the blessing of the great Random.
Websites that caught my eyezvoook.com
Creation Date: 2019-02-18T07:32:00Z
Registrant Name: Protection of Private Person
Registrar: Registrar of domain names REG.RU LLC
yottupe.com
Creation Date: 2019-04-08T17:47:46Z
Registrant Name: Protection of Private Person
registrar: REGRU-EN
footod.space
Creation Date: 2019-03-26T23:01:18.0Z
Registrant Organization: Privacy Protection
registrar: REGRU-EN
vkusnopoedim.com
Creation Date: 2019-03-21T11:52:58Z
Registrar: Registrar of domain names REG.RU LLC
Registrant Name: Protection of Private Person
zavcev.com
Creation Date: 2019-02-18T10:33:48Z
Registrar: Registrar of domain names REG.RU LLC
Registrant Name: Protection of Private Person
MUSICA-YONTUBE.COM
Creation Date: 2019-03-11T12:41:40Z
Registrar: REGISTRAR OF DOMAIN NAMES REG.RU LLC
fileszilla.com
Creation Date: 2019-02-18T10:33:14Z
Registrar: Registrar of domain names REG.RU LLC
Registrant Name: Protection of Private Person
Total:
- All of them are registered with the registrar REG.RU
- All have a hidden owner organization
- All of them are fresh. More precisely, new ones appear with enviable regularity. (you can even track the chronology).
On all sites in the footer, as per the template, the same text
The cost of access by subscription is 35 rubles with VAT per day for subscribers of PJSC MegaFon; for a one-time payment - 150 rubles (including VAT) for 30 days for subscribers of PJSC MegaFon; Subscription access is renewed automatically. To cancel the Subscription to the service, send an SMS with the word STOP<space>113 to 5151 for MegaFon PJSC subscribers. The message is free in the home region. Technical support service of Informpartner LLC: 8 800 500-25-43 (toll-free), e-mail: [email protected]
And the offer is the same everywhere
Well, it cannot be that hundreds of sites were created only for the sake of Megafon subscribers! And if a Beeline client wants to receive this content? ..
Too many coincidences...
Lately if due to the fact that money was written off from him for the left subscription, then this money is returned to him.
So, if the money were transferred to the left content providers, then the cellular operator would not give money to the subscriber out of his own pocket! Megafon is afraid that if mass complaints to law enforcement agencies begin, then sooner or later such actions will be qualified under 159 of the Criminal Code of the Russian Federation. And there will be no Infopartner LLC in this chain! It's cheaper to shut up those who are indignant at the very beginning.
Installing any protection against subscriptions on Megaphone does not help
Π
Π also confirmed that Megafon puts a bolt on bans.
Thus, Megafon does not even try to hide that it is they who are tricking subscribers into expensive shit content ...
200 people will sign up for a mailing list worth 000 rubles. 35 will be outraged and they will return the money to their account. From the remaining 100 lyama per day to the company's budget ...
In this case, I studied the behavior of one telecom operator - . But, judging by the reviews, all operators of the Russian Federation do this (except ).
Having entered the site of specialized hosting for such sites, we will see in partners those whom we know and βloveβ
nslookup zvoook.comName: zvoook.com
Address: 78.140.175.32
Name: zvoook.com
Address: 78.140.175.19
nslookup 78.140.175.19
19.175.140.78.in-addr.arpa name=webwap.org.
It turns out that this is an organized criminal community engaged in fraud on an especially large scale?
PS: This article is aggregated from my two on Peekaboo: ΠΈ .
Source: habr.com