Report highlights how deep packet inspection could be subverted by cybercriminals

["Dave Farber" <farber () gmail com>]

Begin forwarded message:

> From: the keyboard of geoff goodfellow <geoff () iconia com>
> Date: March 13, 2018 at 5:37:58 AM EDT
> To: "E-mail Pamphleteer Dave Farber's Interesting People list" <ip () listbox com>
> Subject: Report highlights how deep packet inspection could be subverted by cybercriminals
>
> Report highlights how deep packet inspection could be subverted by cybercriminals
> by Tara Seals | Mar 12, 2018
> https://www.fiercewireless.com/dpi-espionage-campaign-targets-turkish-dissidents
>
> A series of deep packet inspection (DPI) middleboxes developed by Sandvine PacketLogic (formerly known as Procera) 
> are apparently being misused by state-sponsored cybercriminals for espionage purposes and for commercial gain.
> According to a Citizen Lab internet scan, DPI boxes on Türk Telekom’s network are being used to redirect hundreds of 
> mobile and fixed users in Turkey and Syria to spyware when those users attempt to download certain legitimate Windows 
> applications. Visitors to official vendor websites, including Avast Antivirus, CCleaner, Opera, and 7-Zip, were 
> observed being silently redirected to malicious versions bundled with the StrongPity and FinFisher spyware, as were 
> those who downloaded a wide range of applications from CBS Interactive’s Download.com.
>
> The scans of Turkey revealed that this redirection was happening in at least five provinces, and Citizen Lab believes 
> the efforts were being carried out by the ISP at the behest of the Turkish government.
>
> “Based on publicly available information we found on Wi-Fi router pages, at least one targeted IP address appears to 
> serve YPG (Kurdish militia) users,” the group said in its analysis. “YPG has been the target of a Turkish government 
> air and ground offensive which began in January 2018. Areas not controlled by the YPG also appear to be targeted, 
> including the area around Idlib city.”
>
> The Citizen Lab also found similar middleboxes in the Telecom Egypt network being used to hijack Egyptian internet 
> users’ unencrypted web connections en masse. In this case, the boxes were being used to redirect the users to 
> affiliate ads and browser cryptocurrency mining scripts in an effort to line the criminals’ pockets.
>
> This kind of redirection can be done via network injection: A DPI middlebox operates over connections between a 
> target and an internet site he or she is visiting. If the connection is unauthenticated (e.g., HTTP and not HTTPS), 
> then the middlebox can be used to tamper with data to inject a spoofed response from the internet site. The spoofed 
> response may contain redirects to exploits or spyware to infect and monitor the target.
>
> The Citizen Lab said that it matched characteristics of the network injection in Turkey and Egypt to Sandvine 
> PacketLogic devices.  
>
> “We developed a fingerprint for the injection we found in Turkey, Syria, and Egypt and matched our fingerprint to a 
> second-hand PacketLogic device that we procured and measured in a lab setting,” the group said in an announcement...
>
> [SNIP]
>
> https://www.fiercewireless.com/dpi-espionage-campaign-targets-turkish-dissidents
>
> -- 
> Geoff.Goodfellow () iconia com
> living as The Truth is True
> http://geoff.livejournal.com  
>
> This message was sent to the list address and trashed, but can be found online.



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20180313074019:4C8490BC-26B3-11E8-AD93-9A7F51A1BB1F
Powered by Listbox: http://www.listbox.com