Chinese ISPs Caught Injecting Ads and Malware in Their Network Traffic

Share this…

Most ISPs that engage in this practice are owned by two of Asia’s biggest network operators, both located in China.

Three researchers from Israel have conducted a study on the practice of content injection in network traffic, discovering that many Chinese-based ISPs are altering network packets to insert advertising and even malware, in some cases.

Many ISPs (Internet Service Providers) set up proxy servers through which they re-route their clients’ Web traffic. The technical reasons for employing something like this have to do with improving caching, compressing / transcoding content, but also injecting ISP-customized messages inside DNS and HTTP error messages.

During past years, previous research studies have shown that many ISPs around the world abuse this privilege and also alter their clients’ traffic by injecting ads inside the websites they visit.

Most of the time, the companies that engage in such practices are edge ISPs, meaning the final network providers that connect users to the Internet. In other words, only that company’s clients are affected. In these cases, users can change their Internet provider if they don’t agree, and the ISPs justify their actions via the contracts customers signed when they joined the network.

Core ISPs join the network packet injection party

In the research paper Website-Targeted False Content Injection by Network Operators, three Israeli researchers have discovered that this tactic has now expanded to core ISPs, the companies that interconnect edge ISPs with the rest of the ISPs around the globe.

According to the researchers, these ISPs have set up special servers that monitor traffic for specific URLs and move to alter it, even if the end users are not their customers.

While in the past ISPs modified network packages to inject ads, these ISPs use a different method. Instead, they clone the legitimate traffic, alter the clone, and send both packets to their destination. This scheme ensures that their injected traffic is harder to detect since the cloned traffic won’t always arrive at the end users before the legitimate one.

Researchers logged huge amounts of Web traffic and detected around 400 injection events based on this technique. As the researchers explain, most of these events happened with ISPs from China and Far East countries, even if the traffic originated from Western countries.

This means that a German user accessing a website hosted somewhere in China is susceptible to having their traffic injected with ads or malware.

Chinese ISPs are the biggest offenders

“The proportion of HTTP traffic destined to China in the monitored networks is only about 2%,” the researchers noted. “Seven injection groups are aimed at injecting advertisements to web pages. An analysis of the injected resources shows similarities between the various groups. These similarities might indicate that the injections are done by the same entity or at least by different entities that use the same injection mechanism or product.”

Even worse, five other groups showed indicators of cloning network traffic and injecting it with malicious code. This included redirections to known malicious websites and JavaScript files that forced users to download executables or appended malicious code to a website.

The researchers discovered 14 ISPs engaging in such actions, 10 in China, 2 in Malaysia, and 1 in India and the US. Most of the Chinese ISPs were owned by China Telecom and China Unicom, two of the largest network operators in Asia.

The simplest way to combat this practice is for website operators to support HTTPS for their services.

You can find more details on the research and its methodology on Cornell’s arXiv website. Below is a list of ISPs that the researchers caught red-handed.

ISPs that altered their traffic

ISPs that altered their traffic