How a banner ad for H&R Block appeared on apple.com—without Apple’s OK
How a banner ad for H&R Block appeared on apple.com—without Apple’s OK
Source: ARS Technica
Robert Silvie returned to his parents' home for a Mardi Gras visit this year and immediately noticed something strange: common websites like those belonging to Apple, Walmart, Target, Bing, and eBay were displaying unusual ads. Silvie knew that Bing, for instance, didn't run commodity banner ads along the bottom of its pristine home page—and yet, there they were. Somewhere between Silvie's computer and the Bing servers, something was injecting ads into the data passing through the tubes. Were his parents suffering from some kind of ad-serving malware infection? And if so, what else might the malware be watching—or stealing?
Around the same time, computer science PhD student Zack Henkel also returned to his parents' home for a spring break visit. After several hours of traveling, Henkel settled in with his computer to look up the specs for a Mac mini before bedtime. And then he saw the ads. On his personal blog, Henkel described the moment:
But as Apple.com rendered in my browser, I realized I was in for a long night. What I saw was something that would make both designers and computer programmers wince with great displeasure. At the bottom of the carefully designed white and grey webpage, appeared a bright neon green banner advertisement proclaiming: “File For Free Online, H&R Block.” I quickly deduced that either Apple had entered in to the worst cross-promotional deal ever, or my computer was infected with some type of malware. Unfortunately, I would soon discover there was a third possibility, something much worse.
The ads unnerved both Silvie and Henkel, though neither set of parents had really noticed the issue. Silvie's parents "mostly use Facebook and their employers' e-mail," Silvie told me, and both those services use encrypted HTTPS connections—which are much harder to interfere with in transit. His parents probably saw no ads, therefore, and Silvie didn't bring it up because "I didn't want [them] to worry about it or ask me a lot of questions."
Henkel's parents had noticed the ads but assumed that companies like Apple and Walmart had put them there on purpose. "They were very surprised" to find out that the truth, Henkel told me.
Neither Silvie and Henkel were going to let a mystery like this go without solving it. Each embarked on a separate investigation and each came to the same conclusion: their parents' Internet provider was somehow involved in slapping ads onto webpages as they moved over the network.
Paging Sherlock
Both homes subscribed to Internet access from CMA Communications, a rural cable TV, Internet, and phone provider serving southern states like Texas and Louisiana. (CMA is owned by ETAN Industries; according to Bloomberg Businessweek, ETAN does business as "Credit Protection Association, LP" and "provides collection services.") But it was possible that CMA wasn't involved with the ads; locally installed adware might have been responsible, or the two sets of parents might have had their routers infected by a rare breed of malware.
To rule out the various options, Henkel isolated each link in the chain between his devices and the remote Web servers he was contacting. After seeing the ads appear on multiple websites, Henkel switched to his Android-powered phone to see if some kind of malware was affecting his personal Mac; the ads also appeared on the phone. He accessed websites from a Surface tablet; the ads were there. "I am not great at statistics, but I was fairly certain the probability of identical malware on all of these devices was low," he wrote on his blog.
He turned off Wi-Fi on his phone in order to force its data connection to route through the separate cellular network; the ads went away. He turned Wi-Fi back on and the ads reappeared. Local malware wasn't causing them, and they didn't exist when accessed through a different network, so they certainly weren't meant to be on the sites at all. The ads appeared to be injected either by his parents' router or by their ISP.
"I pulled up the Web inspector in Chrome and examined the source of a page which had the ad," Henkel wrote. "Appended to the very end of the HTML file for the webpage was a single line which called to r66t.com for a JavaScript file."
That single line of code read and appeared to be the source of the issue. And it turned out that the R66T code didn't just add banner ads to sites that had none; it even overwrote its own ads onto high profile sites like the Huffington Post, which had plenty of ads of their own.
To see if his parents' router had somehow been compromised, Henkel plugged in a spare router and ran his connection through it. Same result. He then ran a series of traceroutes to see every hop his packets took on the way to sites like Bing.com. He was able to compare the results to traceroutes he had run before, since "poor performance has been a recurring issue" with the connection, he said. He found an extra hop in the connections now, one that passed Web requests through a Squid proxy server run by a R66T, where they were apparently altered to include the extra ad code.
"Wow, this is really wrong and crazy," Henkel told me, since it suggested that companies felt free to operate as a "man in the middle," one free to inject code of their own choosing into webpage requests that were—so users believed—simply between themselves and the websites they were trying to reach.
Silvie had a similar reaction. He used the traffic inspection tool Fiddler to examine his packets and "saw that the ads were coming from r66t.com only when the website was not being served over [the encrypted] HTTPS," he told me. But who or what was R66T?
