The curious time an advert knows your mobile phone number..

Sorry for the length of this article.. there are so many different parts to this that it is difficult keeping a single sensible train of thought.

I don’t know my mobile number, I don’t use it for calls or texts. It is a SIM I use just for data alone. No Google, Microsoft or any other account has my mobile number.

While browsing a weather website today over 3G on my mobile phone I saw an advert.

Screenshot_20180510-203054

Fine.. so what.. an advert.. This one was for “MobiPlanet” (see screenshot top right); the thing that intrigued me about it was the advert touted FlappyBird – as a Subscription. I was interested how they were doing this along with a “free trial”.

Upon clicking the advert I was taken to a screen similar to this one (see screenshot on left):

Screenshot_20180511-121836

Except the first time I visited it – it didn’t have the mobile number input prompt. This was missing and only the “Subscribe Now” option existed (see photo to the right).
vlcsnap-2018-05-20-13h23m02s141

Stupidly – and thinking that there was no way my browser on my mobile phone was leaking my phone number.. I clicked Subscribe now. To my astonishment I got a text message and was subscribed to the service. No phone number input, no “text back to confirm” feedback loop.

Just instantly subscribed. How! How the heck does a website know my mobile number without me ever inputting it into _anything_.

With a bit of collaboration with a person called “therioman” they confirmed that the same issue affects the 3 other major UK network providers. (O2, Vodafone and EE).
therioman has (very kindly, thank you!) made a video of this happening:

Screenshot_20180511-175909

I’m quite angry at this in the first place. I’ve since spent many hours reproducing the “problem”. Lots of tricks are employed to prevent you seeing the same sign up form again, further visits ask you to type in your number.

I can find what I believe to be the API or service that reported my phone number to the advertiser.

Roll in IMI Mobile (“imimobile.net”)!

My reasoning for thinking it is them is… They are the only likely party with access to cell networks customer data. Business relationships get built.. then API access or customer databases get abused.

Remember.. I don’t know my mobile number and I don’t have it associated with anything. The only thing that knows my mobile number is my password vault and my mobile provider, called “Three”, themselves.

So how can an advertiser get my mobile number from just me browsing around?

The most likely cause is IMI Mobile having a “special deal” with the major UK cell networks.. Three and the other networks have probably setup an intercepting proxy for requests to some IMI Mobile domains and subdomains where the subscriber number is injected into an HTTP header. This IMI Mobile can tell the subscriber accessing their service and can then pass it onto the advertiser.

The specific request which does this, I believe, is unusual requests in the advertiser site pointing to a javascript file at IMI Mobile. However these _all_ return a 0 byte (empty) file. E.g.:

http://pfi.imimobile.net/identify/bbaba4b7-4b22-4c2a-a875-3ba755dde0a7/verify.js
http://pfi.imimobile.net/identify/6e688090-0d93-4c86-bbc0-2cf84730e593/verify.js
http://pfi.imimobile.net/identify/8681162f-f946-43ad-957b-11a4b767162f/verify.js
http://pfi.imimobile.net/identify/9501bcd0-66ce-4f4c-8f2a-49c8889bc8a4/verify.js
http://pfi.imimobile.net/identify/ab1aa5b0-a429-4180-83b9-fbcc58a575e1/verify.js

It is my belief that the /identify/ request, tagged with a GUID, is sent from your mobile browser to IMI Mobile. IMI Mobile receive the request their end along with the mobile phone number or subscriber details injected by the mobile network.

They then, in the background, pass this information back to the advertiser (probably by the advertiser requesting another back end API asking for details about the GUID). The advertiser can then subscribe you or use your mobile phone number in any way they please.

 

Reproduction.

On most UK mobile networks.. and especially Three.. visit weather underground and look at the weather for a location. If you see an advert for a subscription service.. click on it.

I expect the first time you visit that advert you won’t be prompted for your mobile number. You will just see a subscribe button. Any subsequent visits will probably show you a prompt to fill in your mobile number.

See the YouTube video further up the post for one users experience.

Notes
IMI Mobile partners have been naughty in the past with subscription SMS services.
https://psauthority.org.uk/-/media/Files/PhonepayPlus/Adjudications/0001Tribunal_decisions/2016/Tribunal-minutes-72402.ashx
https://psauthority.org.uk/-/media/Files/PhonepayPlus/Adjudications/0001Tribunal_decisions/72152-Tribunal-Minutes-022016.ashx
https://psauthority.org.uk/-/media/Files/PhonepayPlus/Adjudications/0001Tribunal_decisions/71968–Tribunal-Minutes-022016.ashx

Related indicators.

Google Tag Manager: AW-833104379, GTM-59M4Z8S, AW-848165185

Hosts: i.uk.freetrialclub.co.uk, pfi.imimobile.net, freetrialclub.co.uk, streamsharp.com, app.sb7icat.com

I also believe that “nuyoo.club”, “pfi.nuyoo.club”, “joinbodyin8.com” are similars site that employs the same “knows your number” trick. They send requests to the imimobile hosts as well.

Also related but not seen in this incident is “api-in.taptobill.com” which has some association with IMImobile. However the tap2bill name appears on a portal called “PFI Admin” at http://mobilepayments.imimobile.net/ .

Other domains that have previously been seen to call in scripts from the IMIMobile domain and could potentially have also been doing the same “no number to enter or feedback loop” subscription:

pfi.69vidsbox.com
pfi.pornfortress.com
pfi.69camsbox.com
pfi.69vidbox.com
http://www.books4you.zone
http://www.globalcams.world
enter.playboy.vids4u.mobi
http://www.fitmate.tv
http://www.gifstickers.world
http://www.classicmovies.zone
http://www.listen2books.zone
pfi.loadedgames.co.uk
pfi.dailydieters.com
pfi.playpuzzles.fun
i.uk.mymobiplanet.com
i.getmefit.mobi
enter.pb.vids4u.mobi
pfi.footy-tipsters.com
http://www.topwallpapers.club
http://www.mobgames.club
i.uk.freetrialclub.co.uk
pfi.nuyoo.co
pfi.loadedmobi.com
i.free24.co.uk
msplash-uk.fun-mobile.co.uk
msplash2-uk.fun-mobile.co.uk
pfi.gameclub365.com
http://www.hdwallpapers.shop
http://www.zapwin.com
pfi.thewinme.co.uk
pfi.smashvids.com
pfi.crazywin.co.uk
http://www.bigwintoday.com
http://www.hornyvip.com
uk.clubvoucher.co.uk
http://www.xxxvidsuk.com
uk.quiz2win.mobi
i.x-stream2.co.uk
http://www.crazywin.co.uk
tj.reporo.com

This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s