February 28, 2016 – China has gained a considerable global attention when it comes to their Internet policies in the past years; whether it’s introducing its own search engine dubbed “Baidu,” Great Firewall of China, its homebrew China Operating System (COP) and many more.
Along with the developments, China has long been criticized for suspected backdoors in its products: Xiaomi and Star N9500 smartphones are top examples.
Now, Chinese Internet Service Providers (ISPs) have been caught red-handed for injecting Advertisements as well as Malware through their network traffic.
Three Israeli researchers uncovered that the major Chinese-based ISPs named China Telecom and China Unicom, two of Asia’s largest network operators, have been engaged in an illegal practice of content injection in network traffic.
Chinese ISPs had set up many proxy servers to pollute the client’s network traffic not only with insignificant advertisements but also malware links, in some cases, inside the websites they visit.
If an Internet user tries to access a domain that resides under these Chinese ISPs, the forged packet redirects the user’s browser to parse the rogue network routes. As a result, the client’s legitimate traffic will be redirected to malicious sites/ads, benefiting the ISPs.
Here’s How Malware and Ads are Injected
In the research paper titled ‘Website-Targeted False Content Injection by Network Operators,’ the Israeli researchers wrote that the tactic has now expanded to core ISPs – the Internet companies that interconnect edge ISPs with the rest of the ISPs globally.
These ISPs have set up specialized servers that monitor network traffic for specific URLs and move to alter it, no matter the end users are their customers or not.
Methods of Injection:
Various methods had been adopted by ISPs to infiltrate the legitimate traffic. Some of them are:
1- Out of Band TCP Injection
Unlike in the past when ISPs modified network packages to inject ads, the network operators send the forged packets without dropping the legitimate ones.
Interestingly, instead of interception or rewriting of network packets, cloning of HTTP response packets had been adopted by ISPs to replicate the infection. The ISP clones the legitimate traffic, modifies the clone, and then sends both packets to the desired destination.
So ultimately, there are 2 packet responses generated for a single request. Hence, there is a chance of forged packet to win the race, while legit packet reaches at last.
Since the cloned traffic will not always arrive at the end users before the legitimate one, the injected traffic is harder to detect.
But a serious analysis with netsniff-ng would knock out the fake packets.
2) HTTP Injection
HTTP is a stateless client-server protocol that uses TCP as its transport. As TCP only accepts the initial packet upon its receival and discards the second, there is a chance to receive the fake packet in first place; if infection had been taken place.
Here, the user might get a response with HTTP Status Number 302 (Redirection) instead of HTTP Status Number 200 (OK) and would be re-routed to the other non-legit links.
Motive Behind the Attack
Both the advertising agencies and the ISPs are benefited by redirecting user’s traffic to the corresponding sites.
This practice would mark an increase in advertisement revenue and other profits to advertisers and ISPs.
During their research, the researchers logged massive amounts of Web traffic and detected around 400 injection incidents based on this technique.
Most of these events happened with ISPs in China and far east countries, even if the traffic originated from Western countries, meaning a German user accessing a website hosted in China is also susceptible to having his/her traffic injected with ads or malware.
How to Mitigate?
Since the companies that engage in such practices are edge ISPs – the final network providers that connect users to the Internet, users can change their Internet provider.
However, the simplest way to combat this issue is for website operators to support HTTPS for their services, as all the websites that infect users are SSL-less.
The sites that supply malicious URLs are not guarded by SSL Shield, making them vulnerable to carry out the illegit things.
Therefore, usage of HTTPS-based websites would block such kinds of attacks, so users are advised only to stick to SSL sites. (such as this one http://marygreeley.com)
Delivering the illegit content, or redirecting the crowd to stash the cash would end up losing the public trust on the technologies.
Credit – thehackernews