Advertising Practices Endanger Internet Users
Posted by Laureli Mallek
Several major ISPs are substituting ad pages for the error messages normally displayed when users navigate to non-existing subdomains. Ryan Singel writes in Wired that:
“The rub comes when a user is asking for a nonexistent subdomain of a real website, such as http://webmale.google.com, where the subdomain webmale doesn’t exist (unlike, say, mail in mail.google.com). In this case, the Earthlink/Barefruit ads appear in the browser, while the title bar suggests that it’s the official Google site.”
Within this system, when a user tries to locate a nonexistent subdomain of a real website the title of the browser page changes to correspond with the searched-for site. By signaling that the user has reached a subdomain of the target website, ISPs create a potentially dangerous situation. It is possible that nefarious actors could combine fake subdomains with active spamming campaigns to draw users to links and badware camouflaged by a legitimate website’s branding.
Dan Kaminsky, a security researcher at IOActive initially reported the problem. He says that even after the vulnerabilities with advertisers were patched, the loophole remains dangerous as it allows ISPs (Kaminsky cites Earthlink, Verizon, Time Warner, Comcast and Qwest) to subvert the DNS system map to monetize on those nonexistent subdomains. Since 2006, Earthlink has intercepted the non-exsting domain response, sending it to its advertising partner (Barefruit), and then serving a page of suggestions and ads. While the company claims this action enhances the user experience, it exposes them to third party content which may not be held to a high level of security scrutiny.
Katherine Noyes at TechNewsWorld writes that Kaminsky does not see a technical way to fix this problem until ISPs, and others, are forced to stop spoofing subdomains through legal means: “It’s someone else’s domain, someone else’s property.”
Paul Vixie, president of the nonprofit Internet Systems Consortium, believes the problem correlates to ISP’s desire for increasing monetization of their users browsing without necessary regard for security. Speaking with TechNewsWorld he said “The only reason this one wasn’t dangerous is that the discoverer was a good person.”
Additional Coverage
Brian Krebs posted a new piece with additional information on his Washington Post blog, Security Fix, on March 30th.
Happy hunting!