Sandvine.com middleboxes on Türk Telekom’s network redirected traffic in two countries Turkey & Syria to raise money through affiliate ads and cryptocurrency mining in Egypt. The entire seems underestimated by social media and the TV because BAD Traffic might could only the beginning of an ‘traffic fight’ and there s very less you can do about it.
[caption id=”attachment_3788” align=”aligncenter” width=”1024”] The targets for malware injection in Turkey and Syria. Picture Source: Citizen Lab 2018.[/caption]
Several devices from Sandvine were used in order to redirect traffic directly to Egypt for malware, ads and mining reasons. TurkTrust was the provider which handled the connection, as reported over here, the provider has in general a ‘Trust’ problem. The fight has only just began and I do believe that this will happen all over the world soon - or is already ongoing as other multiple sources often prove.
The entire background story can be found here - which is worth reading to understand how they spread malware - basically once again by redirected URL/Domains and manipulated software.
The injected and manipulated malware delivered by CCleaner and other programs are dangerous without any doubt but you not need to switch your installed product just because of this, because there trying to redirect you on other products too which means that they ultimately trying to spread their malware in every product. I assume popular products are a larger target because more people using it and this increases the chance to infect more people, using alternatives doesn’t help here because there might be also already infected or the next on the list. Besides, most smaller projects are more vulnerable because less people watching the source code or actually doing a security audit.
In fact every software is a possible target which gets larger as soon it gets popular, recommend all over the place to use alternatives is simply stupid cause there not less a targeted and it doesn’t solve the problem that theoretical every download or URL could be redirected or manipulated.
The problem here is that there is no protection to identify it with the current mechanism, all you can do is to inspect the traffic via deep package inspection and observe it. That said, then it’s already too late or when everything is already done.
You can be sure that this point that this is just the beginning and that other countries will adopt it and find larger ways to mass-redirect traffic for their needs, eg. to mine crypto currencies or in order to spy or inject malware into it. That alone is really shocking because there is less you can do about it.
This shows again that the vast majority of corporations are non-ethical entities and only seek profit. Only when their profits are endangered, e.g. backlash from the general public, do they act ethically. The problem I see here is that it will be used in a larger scale because there less ways what people can do about it, they might see ads or notice that their Internet is slowed down but then it’s mostly already to late, if and only if people notice it, especially in environments with less educated people it could be a problem.
It’s unclear at the time of writing this if it’s not already abused all over the world under different names, targets and on a larger scale. The ISP here must be in the first place responsible to ensure that certificates are valid and not compromised, in my opinion no matter what you set if there is a ‘bad’ certificate the ISP should prevent you from connecting to it, this has noting much to do with censorship more like to prevent harm and to prevent it.
I’ll monitor this story closely because it’s really huge and I’m sure this will soon or later affect more countries and not only Turkey or Syria.