Evidence my ISP may be making money from tracking its customers

1 year ago

tl;dr: My ISP, Access Media 3 has started injecting tracking cookies into html packets going through their network and are potentially making money from tracking their customers.

—————–

EDIT July 2014: AM3 got back to me and admitted that this is all true.. and worse.. they admitted to replacing ads from other ad networks with their own. Will have a follow up blog post soon.

About a week ago I started noticing something strange. I was viewing YouTube and saw a white bar (pictured below) at the top of the page. I didn’t think much of it until I visited StackOverflow and saw the exact same white bar.

white frame

I opened the chrome dev tools and found a few javascript errors:

js console

Upon further inspection it turns out this ‘random script’ had been injected by a <script> tag in the header. I looked at some other sites and noticed the same script being inserted almost everywhere. Here is what it looks like:

<script type=”text/javascript”> var dot=’.’; var setCookie=’net’;var gAnalytic=’adsvc1107131′;var IETest=’rxg’; var v=’ashx’; var R=’ajs’; var gid=’5d738f4aeccb49c39d3013cabc563f64′; </script>
<script type=”text/javascript” src=”http://rxg.adsvc1107131.net/ajs.ashx?t=1&amp;5d738f4aeccb49c39d3013cabc563f64″ id=”js-1006893410″ data-loaded=”true”></script>

I realized that the only sites that weren’t affected were those using https rather than http. This makes sense, you can’t inject code into https because it is encrypted.

The effect of this script was to add an iframe to YouTube and StackOverflow however other pages (including ones I’ve built myself) had no injected iframes and only the script tags in the <head>. My theory is that this is related to sites that provide ads however I have not confirmed this.

Here is a gist of the iframe that was being injected into YouTube.

tl;dr: The iframe is coming from Ad-vantage Networks.

I did a whois on some of the domains where these scripts are being hosted and they pointed to Ad-vantage Networks also. Or they were pretty obvious urls like: advn.net. I followed some of the urls around and found an interesting open folder which stores a bunch of the javascript that Ad-vantage uses:

http://adsmws.advn.net/

I poked around on Google and found that Ad-vantage Networks is now known as MediaShift.

So who is injecting the code?

My initial thoughts were that it was just a simple Chrome extension. So I checked the site on Firefox and my Nexus… same result. I plugged in my ethernet cord to rule out my wireless router… same result. Same white bar at the top of YouTube. I switched my Nexus over to 3G and voila! The white bar disappeared. Something in between my wall and YouTube was injecting this code.

I ran mtr to see if there were any suspicious hops that my packets were routing through and this was the result:

mtr

Nothing out of the ordinary, at least to my untrained eye (I’m by no means a networks expert).

Plot twist time

Around the same time that I started seeing this injected code I was building a Node.js website and noticed a weird change in behavior. Usually when my node server was off and I accidentally hit its url I received the standard Chrome “This webpage is not available” page. With no change on my behalf, I started seeing different error pages as shown below.

From:

chromeerror

To:

squid

At the time I didn’t think much of it at all. Now I believe it shows the vital clue in this whole situation. But before figuring that out I did some more research into what MediaShift did. Here’s a slide from their front page that was particularly interesting. Internet network providers you say? I dug further into their site and found their list of partners.

The kicker

After looking through these providers for more info I found the final piece of the puzzle. RGNets.com‘s main product is the rXg box. Look back to that new error page I was seeing. Here is the fine print:

Generated Sat, 04 Jan 2014 23:52:15 GMT by va-bbg-core-rxg2.am3wireless.com (squid/3.3.3)

Notice three interesting points:

  1. The machine seems to be an rXg made by RGNets.com
  2. Its owned by am3, Access Media 3, my ISP
  3. It is a squid server

Some research into squid servers shows this ability. Most interestingly the ability to “Add, remove, or modify an HTTP header field (e.g., Cookie)”. Which is exactly the injection I was seeing.

Conclusion

Access Media 3, my ISP (which we are forced to use in my apartment complex), is using an rXg machine to inject javascript and cookies into any un-encrypted html packets going through my network.

Implications

As the injected javascript is obfuscated in most circumstances I have no idea what the effect of the injection is exactly. At the very least I can see multiple references to persisting cookies – a way to track a user’s behavior on the internet. As seen by MediaShift’s website it is clear that they offer this data collection system as a way for networks to make money. Its therefore not too much of a stretch to conclude that Access Media is making money from selling the data of its users behavior to unknown parties.

I’m certainly not ok with this at all, and I assume most people wouldn’t be. I skimmed through my Access Media contract and they do mention they have the right to ‘monitor’ the traffic across their network, however if by monitor they mean ‘conduct XSS injections against every user’ I know a lot of people will not be happy, especially with the current state of affairs regarding internet security and tracking.

Apparently similar behavior has been reported before by other ISPs:

http://arstechnica.com/tech-policy/2013/04/how-a-banner-ad-for-hs-ok/

http://erichelgeson.github.io/blog/2013/12/31/i-fought-my-isps-bad-behavior-and-won/

I’ve sent an email to Access Media so we’ll see what their response is.

Comments on reddit
Leave a comment // View comments // 2014-01-05