Friday, March 29, 2013

ISP Advertisement Injection - CMA Communications

Apple Inc. endorsing H&R Block with a beautiful bright green banner ad, compliments of CMA Communications.

Tired from the day’s events and travel, I had planned to quickly look up the specifications of a Mac Mini, respond to a few emails and then get some sleep. But as Apple.com rendered in my browser, I realized I was in for a long night. What I saw was something that would make both designers and computer programmers wince with great displeasure. At the bottom of the carefully designed white and grey webpage, appeared a bright neon green banner advertisement proclaiming: “File For Free Online, H&R Block”. I quickly deduced that either Apple had entered in to the worst cross-promotional deal ever, or my computer was infected with some type of malware. Unfortunately, I would soon discover there was a third possibility, something much worse.

Assuming I had somehow managed to install malware on my MacBook Pro, running OS X, I quickly turned off the wifi connection and began to investigate. I was visiting my parents for spring break, so I moved to one of their computers to run internet searches while I examined the evidence on my Mac. Opening Chrome, I was directed to Bing.com. I laughed to myself briefly, thinking: “who uses Bing?”, and then realized I was a computer science grad student who had managed to get malware on a Mac, so I wasn’t in a position to judge. But, just as I was about to navigate to Google, I noticed something familiar. At the bottom of Bing.com, there it sat, a banner advertisement in orange in white for AT&T Wireless. It was identical in positioning and size to the one on my Mac.

Bing sporting a classy AT&T Wireless Ad, courtesy of CMA Communications
I pulled out my phone, which runs an Android operating system, and navigated this time to Yahoo.com. At the bottom of the page: a misplaced banner ad which matched the proportions of the others. I am not great at statistics, but I was fairly certain the probability of identical malware on all of these devices was low. So, I moved to thing that these devices all shared: the same wireless network. 

I turned off wifi on my phone, and refreshed the Yahoo.com page. This time no banner ad. I refreshed a few more times, checked a few other sites, all was well. As soon as the phone was back on wifi, the banner ads appeared again, I had found the source. I pulled up the web inspector in Chrome and examined the source of a page which had the ad. Appended to the very end of the HTML file for the webpage, was a single line which called to r66t.com for a JavaScript file. 

This small line of code, added by CMA Communications wreaks havoc on most websites.

I investigated further and realized that the JavaScript file would not only place banner ads at the bottom of pages, but also replace existing advertisements on the page with new advertisements (sometimes even for a competing product). This was an aggressive move by someone, but who?

What's that Huffington Post? You sold ad space on your site? So did we! - CMA Communications

I needed to rule out that my parent’s router hadn’t somehow been compromised to modify websites. I hadn’t ever seen router malware in the wild, but I supposed with some effort it would be possible. First though, I ran a traceroute to see the route my internet requests were taking. There it was: an extra stop at a private IP address. I was soon able to show that HTTP internet traffic was being routed through a Squid proxy server.

A small tag that let's us know what CMA Communications is up to.

The proxy server had been setup by a company, R66T, that specializes in a few things, one being advertisement injection into webpages. I was soon able to confirm with one other person (via Reddit) using the same internet service provider that they were seeing the uninvited advertisements too. It was apparent at this point, that my parent’s ISP, CMA Communications, had started injecting advertisements into websites requested by their customers. I felt dissatisfied to say the least. So I spun into damage control mode, blocking all R66T owned domains on our network and preparing for battle the next day.

You might not be surprised to know that CMA Communications won’t confirm or deny that they are injecting advertisements into their customer’s web traffic. You also could probably guess that there aren’t any regulatory agencies that care either and that a complaint to the Better Business Bureau is not an effective remedy to the situation. Nor does the Electronic Frontier Foundation have resources or desire to assist in a case like this. But, I think there are some entities who should care. Who? How about Apple or Microsoft? It is their trademarks and brands which are being tarnished by this scheme. When a naive user experiences a bright green banner ad on an otherwise pristine Apple.com, they do not understand that Apple is not responsible for the content. After all, Apple must be endorsing H&R Block, as it’s right there on their website, with their logo next to it.  

Target's color scheme actually fits the Verizon ad placed by CMA Communications
For those of you who are still skeptical of this situation: suppose I started an advertising company based around the idea of me putting one company’s ad next another company’s logo, without their agreement. To take it further, suppose I started a service which opened people’s mail before it got to them, carefully replaced all the advertisements inside with different ones, and then sealed it back up and delivered it as if the original sender intended for it to be that way. I would probably go to jail for something like this. So why is CMA Communications allowed to perform a similar process in the digital world, without consequence? 

Oh, you sold ad space to Allstate? Here, let me cover that with our Progressive Ad. - CMA Communications

I would urge anyone who may be in a similar situation to file complaints, and let your voice be heard. If CMA Communications succeeds at this venture, it is certain that more ISPs will join in.  

UPDATE: For the super curious, here's a zip file of many more affected sites, as well as the BBB complaint info and the FCC complaint and response. Download it at: https://zmhenkel.com/CMAInjection.zip

Below are screenshots of a couple more of the many websites that are being actively modified by CMA Communications:

Amazon.com, ads by CMA Communications
LinkedIn proudly endorses Verizon. Thanks CMA Communications!



49 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. I bet you anything ISPs will start charging extra fees to not have their ads in our connections.

    However, if they offered a cheaper internet connection or made it free, as long as you had the ads, then sure!

    This, however, for a paid product, is unacceptable

    ReplyDelete
    Replies
    1. You pay for the ads on your cable tv...

      Delete
    2. You assume Tiago has cable TV. I don't have cable TV, instead I watch TV in a web browser.

      Delete
    3. I wish they were never there, especially with the money people pay to cable providers.

      Delete
    4. > I bet you anything ISPs will start charging extra fees to not
      > have their ads in our connections.

      Free.fr unilaterally blocked ads for free: http://www.economist.com/news/business/21569414-xavier-niel-playing-rough-internet-giant-france-v-google - it was part of a peering costs brinkmanship controversy with Google and it is now opt-in, but it is still available and still free !

      Delete
    5. Ads on television are inserted into slots that are agreed upon by the channel. This is like the cable company breaking in and putting ads atop the shows and other ads themselves. It's basically a breach of contract.

      Delete
    6. Yes, it was better if there is no ads in your cable TV as well as in your internet connection.

      Delete
  3. While I'm sure the traceroute screams it, have you tried bypassing your router and connecting your computer directly? Just to make sure that it really isn't your router and that someone just didn't flash DD-WRT and enabled hotspot advertising or something. (veeery unlikely, but why not)

    DMZ should be cool too.

    ReplyDelete
    Replies
    1. He covered that he ruled out router malware in the article, "I needed to rule out that my parent’s router hadn’t somehow been compromised to modify websites. I hadn’t ever seen router malware in the wild, but I supposed with some effort it would be possible."

      Delete
    2. It seemed to me that the way he ruled out the router was by running the traceroute and discovering the squid server. In theory router malware could alter traceroute traffic to spoof the squid server, although it's doubtful that it would have gone to that trouble, especially when there would be so many other ways of discovering the truth that it'd have to block as well.

      Delete
  4. Once HTTPS because the default standard, then ads injection won't be possible.
    At least until a MITM attack occurs with a compromised certificate..

    ReplyDelete
    Replies
    1. You can have a mix of HTTP and HTTPS content on a page, so it does not make it impossible. Most browsers these days warn the user that some "content on the page is not secure," meaning that it was not delivered over HTTPS, but it does not block it unless the user acknowledges they only want to see secured content.

      Delete
    2. Also, they can get around that by delivering the ads over HTTPS. In that case you don't even see the warning.

      Delete
    3. ISPs could already do this easily with sslstrip.

      Delete
    4. But you could not modify the contents of the page to add the script tag so this would prevent this "attack". If the ISP is using "sslstrip" thats a huge other issue.

      Delete
    5. also sslstrip can only work if you redirect or link to what would have been HTTPS. If you browse directly to https they proxy will not be able to modify any of the traffic.

      Delete
    6. SSL is end-to-end encryption (unless of course you compromise a certificate as stated above). The content in a page running over HTTP is over HTTP, that doesn't effect the end-to-end encryption to the content on the rest of the page. You don't understand how HTTPS works if you think you can simply get around this by "running ads over HTTPS".

      Delete
  5. Can you change the DNS servers you are using to see if the problem persists? If that's the case, then this is a very serious implication. I would try contacting the webmasters of these websites to let them know their ads are being replaced/augmented.

    I'm sure Amazon, Apple, Huffpo, etc. would be none too pleased to find out about this.

    ReplyDelete
  6. Technically, this looks copyright violation. People who inject ads into a page are creating a derived work without permission of the rights holders. I'm sure Apple didn't okay that addition to their HTML.

    It would be interesting to see a lawsuit along those lines.

    ReplyDelete
    Replies
    1. CMA isn't technically modifying Apple's source code so I don't think they would have a claim. The HTML is being intercepted and modified between the source servers and the time it gets to your browser; who "owns" that data as it's transmitted over the internet is up for discussion.

      Delete
    2. "CMA isn't technically modifying Apple's source code so I don't think they would have a claim. The [source code] is being intercepted and modified..." (・_・)

      Delete
  7. nice work dude! and good to know, I'm sure utilities will soon be in place to work around this nonsense.

    ReplyDelete
  8. What a surprise, CMA is a division of Etan Industries. The yare described thusly: "Etan Industries, Inc., doing business as Credit Protection Association, LP, provides collection services to customers."

    Im always impressed at the lengths a collection agency will go to in order to make a dime. This sounds right down their alley.

    ReplyDelete
  9. How did you block the R66T domains? Little Snitch?

    ReplyDelete
  10. A quick story related to your analogies at the end:

    Recently GameStop was opening new games, taking out the manufacturer's included coupons (which, if I understand correctly were in direct competition with GameStop or some related store), then selling the game as NEW.

    There was an uproar about it, but it was probably quickly forgotten. Just it compares closely to your "what if I opened mail, added stuff, then resent it" analogy.

    ReplyDelete
  11. What would you do if your browser started putting ads in their window based on the URL? You would stop using that browser and get one that didn't (or contribute your time/money to an open source one that didn't etc.)

    I think the only solution here is education (thanks for this blog post now everyone share it) and lots of people getting a new ISP.

    I think the real issue here is that it isn't clear what is even happening to most CMA customers so it is a form of Fraud.

    If I could get free broadband in exchange for looking at banner ads then I'd gladly use that ISP but it needs to be fully disclosed and properly communicated that is what they are doing.

    P.S. you could probably make a firefox plugin to easily hide the CMA frame or make it invisible...

    ReplyDelete
  12. Texas, Louisiana, Mississippi and Nevada are low-regulatory-power states and CMA serves smaller cities with even less regulatory and bargaining power. You may want to try other avenues for relief.

    Locally, small claims court, one of your local district attorneys (I'm sure local government and the judicial system are having their pages rewritten without consent, including confidential matters), your mayor (contracts with cable companies need city permission for renewal), and the local television and newspapers. You may also have a state consumer affairs office.

    On the national stage you can look to the Federal Trade Commission (ad injection may be anti-competitive) and the Federal Communications Commission (the likely violates some of their net neutrality principles).

    You may also consider rallying those who've been harmed economically by this: advertisers and the companies that serve them. Amazon, Google, et al lose when a company interferes with their ad revenue.

    Good luck. - Phil

    ReplyDelete
  13. Put together a list of all the people paying for the advertising. Post that list here, on reddit, as many places as possible. Encourage people to call those businesses and critizise them for taking part in this and promise to stop using their product. This will accomplish 2 things. One, it will cut off the ISP's source of revenue. And two it will cause these businesses to think a bit more about their advertising practices. While we are at it, we should do the same thing with the FOX network. (:

    ReplyDelete
  14. This comment has been removed by the author.

    ReplyDelete
  15. Um is this only the case when using CMA's DNS servers? or does it show ad's when using any DNS servers besides their's?

    ReplyDelete
  16. Nice find, and sad to see this practice is still in use. We did a similar study at UW in 2008 and found 1% of clients were affected, with some ugly consequences (e.g., sometimes the in-flight changes introduced XSS vulnerabilities).
    http://www.cs.washington.edu/research/security/web-tripwire/nsdi-2008.pdf

    ReplyDelete
  17. There should be some network of open VPNs, that people could use, which would be entirely encrypted, so the ISP won't know what the hell is going on there. That's how I use internet on my cellphone btw. - There is no simple way around this sort of practice, but there is a simple way to get them out of business.

    Make this stuff public and have the huge corporation, whose websites are being raped and those of ads of advertisers, that you love so dearly, do the hard work. Ads are expensive, and if some piece of software just replaces an ad, which has been paid for, I would even call it stealing.

    Imagine the commercials during the superbowl being replaced by your broadcasting service. I'm sure you don't like the actual commercial that is being shown, either. But imagine Budweiser paying millions of dollars for 30 seconds of airtime, and the broadcasting company thinking to themselves 'Hey, we could just make a lot of money with that... we're showing the superbowl, right? Let's just have OUR viewers see something else and sell this ad for $50.000 to THEM. Nobody will even notice! They will be just seeing OUR commercial instead. And we didn't spend a time and we didn't deliver ANY creative content. We just STOLE what makes this content possible in the first place...'

    I'm gonna start placing bets on who is gonna be the first one to sue them :) My money's on Apple :)

    ReplyDelete
  18. Interesting -- r66t.com isn't in the two most used ablock+ filters!

    ReplyDelete
  19. I'm one of the authors of the original UW Web Tripwires work, and also one of the primary developers of Netalyzr. If you are affected, please contact me (nweaver AT icsi.berkeley.edu), we may be able to detect where in the network the actual JavaScript injector is located.

    ReplyDelete
  20. HDMI v1.4 Cable - High Speed with Ethernet


    It can get confusing with the hundreds of cables out there and all the mis-info concerning version 1.3 & 1.4, ethernet and distance limitations. So why not save all the strain & simply purchase a cable that works?

    No fuss. No B.S. No worries! - These cables are designed to the highest standards and made with robust PVC jacket and corrosion resistant Gold Connectors to provide it the simplest performance. Future proof and fully backwards compatible with all HDMI standards. Meaning; You will not need to buy extra cables if you haven't nevertheless upgraded your entire system - These cables CAN WORK!

    ReplyDelete
    Replies
    1. If you need ISP then you can visit here.
      http://suretelecom.com.au/

      Delete
  21. File For Free Online, H&R Block”. I quickly deduced that either Apple had entered in to the worst cross-promotional deal ever, or my computer was infected with some type of malware. Unfortunately, I would soon discover there was a third possibility, something much worse. http://www.jihoy.com/

    ReplyDelete
  22. HDMI, DisplayPort and DVI are all digital standards used for High Definition video signals. DVI & DisplayPort (V1) solely carry the video-image signal but no audio, where as HDMI covers every. Therefore if you utilize a DVI or DisplayPort (V1) cable, you will would like to attach audio cables from your DVD-player, CPU, games console or cable/satellite receiver to your TV.

    ReplyDelete
  23. This comment has been removed by the author.

    ReplyDelete
  24. Replies
    1. for me as a smart number provider,it can be useful also if you have a Affordable ADSL in Australiathat can be use.I will order the macbook.

      Delete
  25. Yes, it was better if there is no ads in your cable TV as well as in your internet connection.

    ReplyDelete
  26. Display Port to HDMI Adaptor Lead can be a brand-new digital regular for high-resolution video clip that offers some sort of locking connector, higher bit rates, greater colour modalities, suggested 128-bit encryption, stereoscopic 3D, along with other progress in excess of HDMI as well as DVI.
    details: http://www.dueltek.com.au/collections/displayport-cables

    ReplyDelete
  27. I found the perfect place for my needs. Contains wonderful and useful messages. I have read most of them and has a lot of them.
    jual cmp

    ReplyDelete
  28. Advertise your Business ,products anything for free here
    Advertise online free

    ReplyDelete