Sven Nobis works as a Security Analyst at ERNW performing application and infrastructure assessments. He is mainly focusing on web application security but is also interested in mobile security. Besides IT security, he is a passionate developer and trying to link his experiences to the everyday work.
WAP billing is a widely available and easy to use micropayment system provided by the mobile network operators. The customer purchases with a single click and then the charge will be added to his mobile phone bill, without any registration needed. The downside of this billing method is a fraud problem. An amount of 13% of all mobile phone users were victims of WAP billing fraud in Germany. Until now, no research analyzed how this kind of attacks work. This talk presents a case study in which we found several sites that do exploit Universal XSS vulnerabilities. This allowed the attackers to bypass the browser's security restrictions and purchase their products on their victim's account without need of any interaction by the victim. We will explain how the scam works in detail and discuss mitigations that will effectively prevent the ongoing fraud.