Sorry for the length of this article.. there are so many different parts to this that it is difficult keeping a single sensible train of thought.
I don’t know my mobile number, I don’t use it for calls or texts. It is a SIM I use just for data alone. No Google, Microsoft or any other account has my mobile number.
While browsing a weather website today over 3G on my mobile phone I saw an advert.
Fine.. so what.. an advert.. This one was for “MobiPlanet” (see screenshot top right); the thing that intrigued me about it was the advert touted FlappyBird – as a Subscription. I was interested how they were doing this along with a “free trial”.
Upon clicking the advert I was taken to a screen similar to this one (see screenshot on left):
Except the first time I visited it – it didn’t have the mobile number input prompt. This was missing and only the “Subscribe Now” option existed (see photo to the right).
Stupidly – and thinking that there was no way my browser on my mobile phone was leaking my phone number.. I clicked Subscribe now. To my astonishment I got a text message and was subscribed to the service. No phone number input, no “text back to confirm” feedback loop.
Just instantly subscribed. How! How the heck does a website know my mobile number without me ever inputting it into _anything_.
With a bit of collaboration with a person called “therioman” they confirmed that the same issue affects the 3 other major UK network providers. (O2, Vodafone and EE).
therioman has (very kindly, thank you!) made a video of this happening:
I’m quite angry at this in the first place. I’ve since spent many hours reproducing the “problem”. Lots of tricks are employed to prevent you seeing the same sign up form again, further visits ask you to type in your number.
I can find what I believe to be the API or service that reported my phone number to the advertiser.
Roll in IMI Mobile (“imimobile.net”)!
My reasoning for thinking it is them is… They are the only likely party with access to cell networks customer data. Business relationships get built.. then API access or customer databases get abused.
Remember.. I don’t know my mobile number and I don’t have it associated with anything. The only thing that knows my mobile number is my password vault and my mobile provider, called “Three”, themselves.
So how can an advertiser get my mobile number from just me browsing around?
The most likely cause is IMI Mobile having a “special deal” with the major UK cell networks.. Three and the other networks have probably setup an intercepting proxy for requests to some IMI Mobile domains and subdomains where the subscriber number is injected into an HTTP header. This IMI Mobile can tell the subscriber accessing their service and can then pass it onto the advertiser.
It is my belief that the /identify/ request, tagged with a GUID, is sent from your mobile browser to IMI Mobile. IMI Mobile receive the request their end along with the mobile phone number or subscriber details injected by the mobile network.
They then, in the background, pass this information back to the advertiser (probably by the advertiser requesting another back end API asking for details about the GUID). The advertiser can then subscribe you or use your mobile phone number in any way they please.
On most UK mobile networks.. and especially Three.. visit weather underground and look at the weather for a location. If you see an advert for a subscription service.. click on it.
I expect the first time you visit that advert you won’t be prompted for your mobile number. You will just see a subscribe button. Any subsequent visits will probably show you a prompt to fill in your mobile number.
See the YouTube video further up the post for one users experience.
IMI Mobile partners have been naughty in the past with subscription SMS services.
Google Tag Manager: AW-833104379, GTM-59M4Z8S, AW-848165185
Hosts: i.uk.freetrialclub.co.uk, pfi.imimobile.net, freetrialclub.co.uk, streamsharp.com, app.sb7icat.com
I also believe that “nuyoo.club”, “pfi.nuyoo.club”, “joinbodyin8.com” are similars site that employs the same “knows your number” trick. They send requests to the imimobile hosts as well.
Also related but not seen in this incident is “api-in.taptobill.com” which has some association with IMImobile. However the tap2bill name appears on a portal called “PFI Admin” at http://mobilepayments.imimobile.net/ .
Other domains that have previously been seen to call in scripts from the IMIMobile domain and could potentially have also been doing the same “no number to enter or feedback loop” subscription: