Interesting People mailing list archives
Report highlights how deep packet inspection could be subverted by cybercriminals
From: "Dave Farber" <farber () gmail com>
Date: Tue, 13 Mar 2018 07:40:11 -0400
Begin forwarded message:
From: the keyboard of geoff goodfellow <geoff () iconia com> Date: March 13, 2018 at 5:37:58 AM EDT To: "E-mail Pamphleteer Dave Farber's Interesting People list" <ip () listbox com> Subject: Report highlights how deep packet inspection could be subverted by cybercriminals Report highlights how deep packet inspection could be subverted by cybercriminals by Tara Seals | Mar 12, 2018 https://www.fiercewireless.com/dpi-espionage-campaign-targets-turkish-dissidents A series of deep packet inspection (DPI) middleboxes developed by Sandvine PacketLogic (formerly known as Procera) are apparently being misused by state-sponsored cybercriminals for espionage purposes and for commercial gain. According to a Citizen Lab internet scan, DPI boxes on Türk Telekom’s network are being used to redirect hundreds of mobile and fixed users in Turkey and Syria to spyware when those users attempt to download certain legitimate Windows applications. Visitors to official vendor websites, including Avast Antivirus, CCleaner, Opera, and 7-Zip, were observed being silently redirected to malicious versions bundled with the StrongPity and FinFisher spyware, as were those who downloaded a wide range of applications from CBS Interactive’s Download.com. The scans of Turkey revealed that this redirection was happening in at least five provinces, and Citizen Lab believes the efforts were being carried out by the ISP at the behest of the Turkish government. “Based on publicly available information we found on Wi-Fi router pages, at least one targeted IP address appears to serve YPG (Kurdish militia) users,” the group said in its analysis. “YPG has been the target of a Turkish government air and ground offensive which began in January 2018. Areas not controlled by the YPG also appear to be targeted, including the area around Idlib city.” The Citizen Lab also found similar middleboxes in the Telecom Egypt network being used to hijack Egyptian internet users’ unencrypted web connections en masse. In this case, the boxes were being used to redirect the users to affiliate ads and browser cryptocurrency mining scripts in an effort to line the criminals’ pockets. This kind of redirection can be done via network injection: A DPI middlebox operates over connections between a target and an internet site he or she is visiting. If the connection is unauthenticated (e.g., HTTP and not HTTPS), then the middlebox can be used to tamper with data to inject a spoofed response from the internet site. The spoofed response may contain redirects to exploits or spyware to infect and monitor the target. The Citizen Lab said that it matched characteristics of the network injection in Turkey and Egypt to Sandvine PacketLogic devices. “We developed a fingerprint for the injection we found in Turkey, Syria, and Egypt and matched our fingerprint to a second-hand PacketLogic device that we procured and measured in a lab setting,” the group said in an announcement... [SNIP] https://www.fiercewireless.com/dpi-espionage-campaign-targets-turkish-dissidents -- Geoff.Goodfellow () iconia com living as The Truth is True http://geoff.livejournal.com This message was sent to the list address and trashed, but can be found online.
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125 Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20180313074019:4C8490BC-26B3-11E8-AD93-9A7F51A1BB1F Powered by Listbox: http://www.listbox.com
Current thread:
- Report highlights how deep packet inspection could be subverted by cybercriminals Dave Farber (Mar 13)