There is a vulnerability in the dialer which causes the dialer to blindly run USSID codes when the browser visits a specifically crafted link. This is the same vulnerability that the Samsung Galaxy S3 has been reportedly suffering from.
To test your device:
if your phone shows an Imei number, then you're vulnerable. If you only see a code in the dialer, you're okay. My San Diego is sadly at risk. It's easy enough to fix yourself by installing another dialer (SEE EDIT BELOW FOR BETTER FIX) which will cause a choice dialog box to show, which you can then cancel. Advice is given in the above url.
I don't know if this is being used 'in the wild' yet, but you should act now before it happens.
Edit for a better fix: Install Telstop from the Google Play Market. Run the test above again, and set Telstop to be the default action when you get the choice. From now on, Telstop will 'vet' the link to make sure it's safe. If it is safe, it will proceed as normal with your normal dialler. If it thinks it's unsafe, it will warn you, so you have the choice to cancel.
Edited by Ribs85, 06 October 2012 - 05:38 PM.