ISPs Accused Of Hijacking Search Terms, Redirecting Browser Results To Marketer's Websites
from the yikes dept
It's really quite stunning that ISPs and marketers haven't yet realized that hijacking users' browser functions and redirecting them for marketing purposes could get them into serious trouble. They just keep doing it. The latest involves "more than 10 ISPs" in the US who have been secretly hijacking search terms and redirecting users directly to marketers' websites. That is, if you typed "apple" into a browser search box, the service could take you directly to Apple's website, rather than to search results. In this case, the search query never even reaches your search engine of choice, being intercepted by the ISP, via a partner called Paxfire. Christian Kreibich and Nicholas Weaver, at Berkeley, discovered this and have been tracking it for a few months. Apparently, they found 165 search terms being used in this manner, including: "apple" and "dell" and "safeway" and "bloomingdales."From the article, it's not clear if the companies such as those listed above are actually responsible. Instead, it looks like it may be part of an affiliate program, whereby a company signs up as an affiliate to such stores, then uses this kind of deal with an ISP to generate massive affiliate fees, some of which get kicked back to the ISP.
The report notes that Google became aware of this earlier this year and complained privately about it (why not publicly?). That resulted in the ISPs no longer intercepting Google traffic (which is the majority of search traffic), but it's still pretty questionable. Either way, the excellent New Scientist report (linked above) also notes that a class action lawsuit has already been filed here, claiming that this violates the Wiretap Act.
What's most amazing to me, however, is that anyone involved in schemes like this don't think that it will eventually come out, and that they'll (a) look terrible and (b) get sued.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Civil suit? No, this should be a federal criminal case
[ link to this | view in chronology ]
Re: Civil suit? No, this should be a federal criminal case
[ link to this | view in chronology ]
Re: Civil suit? No, this should be a federal criminal case
[ link to this | view in chronology ]
Re: Civil suit? No, this should be a federal criminal case
But if you have the actual masterminds going to jail, well now, the number of people actually willing to take the risk to run such a company will quickly dwindle. Those stupid enough to continue to risk it will end up in jail, and the others will find something else to do. (Probably also unethical and immoral, but maybe not illegal.)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: won't vs will
[ link to this | view in chronology ]
Comcast and Verizon.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
HTTPS Everywhere
[ link to this | view in chronology ]
ISP List
Cavalier
Cincinnati Bell
Cogent
Frontier
Hughes
IBBS
Insight Broadband
Megapath
Paetec
RCN
Wide Open West
XO Communication
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Since you posed the questions,
(a) Only to an very small percentge of people who actually understand WTF just happened to their search.
(b) Who's going to sue them? The average person is going to conclude it's not worth the time and expense. A privacy rights organization might. However the ISP will probably pull some kind of "it's in the TOS" deal and some crappy judge will uphold it.
[ link to this | view in chronology ]
just to clarify
[ link to this | view in chronology ]
Re: just to clarify
[ link to this | view in chronology ]
Google -- why not publicly?
If you haven't read the book by "Google Employee #59", it is a great insight into the company and also touches on why Google would handle something like this privately.
The core gist of it (or at least how I read between the lines) is that Google ultimately knows that direct fights are expensive, have unintended consequences, etc. Essentially, they view "fighting the good fight" as declaring "war", and are very hesitant to do so. In contrast, their secret weapon is an incredibly talented tech team that can work around and solve these types of issues for themselves while staying under the radar.
Freedom
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Why will Congress not rid us of this pest?
Paxfire was founded in 2003, but appears to have been a spin-off from a slightly older company, Simena LLC, whose president, Seyzen Uysal, is an inventor named in at least one patent assigned to Paxfire. Both companies are located in Reston, VA, home of many companies which are involved in, shall we say, shady dealings involving the US government. Simena has about 5 employees and annual revenues of about 0.5 million, while Paxfire has about 21 employees with annual revenues of about 29 million. Paxfire operates servers in Asia, Europe, as well as the US, and has offices in the Holland, Germany, the United Kingdom; and Australia. Simena offers a device which sorts and tees traffic for further analysis (for example by a DPI box), while Paxfire offers devices which geolocates consumers and hijacks their search requests (often ALL search requests), sending the consumer to a fake Google server, a server which is actually operated by Paxfire, a company which has no business relations with Google (according to Google, and for once I believe the Chocolate Factory).
Initial mention of Paxfire in the press came mostly from business writers who appear to have been inclined to give the benefit of the doubt to co-founders Mark Lewyn, a former reporter, and Allan Sullivan. What I find remarkable about later coverage from tech writers is the depth of personal revulsion at the business practices of Paxfire (and sleazy ISPs which install Paxfire boxes in their server rooms) which is apparent in their writing. Another interesting feature is that it appears to be standard practice for ISPs to deliberately mislead their own helpline employees and even admins about the presence and function of the Paxfire boxes. It even seems that some smaller ISPs which hired a "modem management company" based in Pittsburgh, Ad-Base Systems, may have misled the ISPs about the presence and function of Paxfire boxes which Ad-Base had installed in its server rooms, allegedly without the knowledge of the ISPs (or at least, their admins). As one might expect, call center techies and admins who find out that they have been passing on misinformations to consumers are usually quite angry when they learn they have been deceived by their own company (or its business partners). (See the Google Knol cited below.)
Another aspect which doesn't come through very clearly in most of the coverage is the extent to which Paxfire tries to hide its ownership of the fake Google servers behind front companies, and more generally of its business activities. It appears to describe itself by saying it offers "telecommunication services, namely, electronic data reception and transmission", which is obviously extremely misleading. One page even mispells Mark Lewyn's last name.
Reaction to VeriSign's New 36-Hour Deadline
CircleID, 3 October 2003
Broken Links Lined With Gold for Paxfire
Washington Post, 30 January 2005
Interview with Mark Lewyn, Paxfire.
Mark talks about his experience raising money from the CIT GAP fund.
Keywords: Mark Lewyn Paxfire CIT GAP raising money
MeThings, 14 Jul 2005
Washington Post
Recent Deals, 23 May 2005
[quote]
Paxfire Inc. , an Internet traffic reduction company in Reston, sold $2.1 million of series A preferred stock to three investors, according to an SEC filing. Paxfire will use the money for working capital. On Demand Venture Fund of San Francisco and three Paxfire executives were listed as beneficial owners.
[/quote]
The Typo Millionaires
The sordid history of the oldest scam on the Internet—and how to kill it off once and for all.
By Paul Boutin
Slate, 11 February 2005
http://knol.google.com/k/dns-squatting
DNS Squatting
The marketers are out to get you... and your little browser too.
How Paxfire stole Google.com - and nobody noticed. An introduction to DNS Squatting - why you should understand how it works and how it affects you when unscrupulous marketers play games with your DNS.
Joseph Harris
Google Knol, August 2008
http://www.newscientist.com/article/dn20768-us-internet-providers-hijacking-users-search-queries.h tml
US internet providers hijacking users' search queries
Jim Giles
New Scientist, 4 August 2011
http://www.eff.org/deeplinks/2011/07/widespread-search-hijacking-in-the-us
Widespread Hijacking of Search Traffic in the United States
Christian Kreibich (ICSI), Nicholas Weaver (ICSI) and Vern Paxson, with Peter Eckersley (EFF).
EFF, 4 August 2011
http://arstechnica.com/tech-policy/news/2011/08/small-isps-turn-to-malicious-dns-servers-to- make-extra-cash.ars
Small ISPs use "malicious" DNS servers to watch Web searches, earn cash
Nate Anderson
Ars Technica, 5 August 2011
http://www.dslreports.com/shownews/ISPs-Covertly-Hijacking-Search-Traffic-115547
10 ISPs Using Paxfire Tech to Track Users, Hijack Results
Karl Bode
DSL Reports, 5 August 2011
http://venturebeat.com/2011/08/05/isp-search-redirect/
Why ISPs are hijacking your search traffic & how they profit from it
Jolie O'Dell
Venture Beat, 5 August 2011
http://www.theinquirer.net/inquirer/news/2099860/isps-hijack-search-traffic
Big US ISPs hijack search traffic
Crikey!
Inquirer, 5 August 2011
http://www.maximumpc.com/article/news/several_us_isps_hijacking_and_redirecting_their_custom ers_search_queries
Several US ISPs Hijacking And Redirecting Their Customers' Search Queries
Brad Chacos
MaximumPC, 5 August 2011
http://techcrunch.com/2011/08/05/study-some-isps-still-hijacking-search-results-lawsuit-foll ows/
Study: Some ISPs Still Hijacking Search Results (Lawsuit Follows)
Devin Coldewey
Techcrunch, 5 August 2011
http://boingboing.net/2011/08/05/many-us-isps-in-epidemic-of-covert-search-hijacking-of-thei r-customers.html
Many US ISPs in epidemic of covert search-hijacking of their customers
Cory Doctorow
BoingBoing, 5 August 2011
See also
US Patent 7631101, Systems and methods for direction of communication traffic
US Patent 7310686, Apparatus and method for transparent selection of an Internet server based on geographic location of a user
The Wikipedia article was apparently edited by Lewyn and has recently been moved which erased prior history; see
https://secure.wikimedia.org/wikipedia/en/wiki/Paxfire
The version as on 8 August seemed pretty good, but it is strange that it describes Paxfire as a "startup" since it has been operating since 2003.
So why has Paxfire been allowed to operate unmolested for so long, despite such widespread knowlege of and revulsion from its business practices? Practices which, everyone seems to agree, are either criminal or ought to be? The explanation might be some contributions during the most recent presidential election:
http://www.campaignmoney.com/finance.asp?type=io&cycle=08&criteria=Paxfire
Dou g, Armentrout, COO, Paxfire, $250, National Republican Trust PAC
Kris Carter, General Counsel, Paxfire, $250, National Republican Trust PAC
Michael Subotin, Research Scientist, $1050 (total), Obama for America
Is that really the price of protection? A mere 1500? Can't we collectively beat that and put this company out of business and its executives in the dock?
Actually, the true story may be even worse than that. Several of the fake Google servers reported to Google in 2008 were registered to L-3 Communications. Back in 2008, L-3's webpages said little about the nature of its business, and the Wikipedia article described L-3 as a company which owned a lot of dark fiber. Convenient if you want to hide something ugly. But the current Wikipedia article is much more accurate. L-3 Communications is in fact the 8th largest US federal government contractor, with about 3.8 billion in federal contracts in 2011. It has annual revenue of about 15.7 billion, employs some 63,000 people, has offices all over the world. Its business? The current Wikipedia article says
[quote]
L-3 Communications ... supplies command and control, communications, intelligence, surveillance and reconnaissance (C3ISR) systems and products, avionics, ocean products, training devices and services, instrumentation, space, and navigation products. Its customers include the Department of Defense, Department of Homeland Security, U.S. Government intelligence agencies, NASA, aerospace contractors and commercial telecommunications and wireless customers.
[/quote]
And this description is an accurate summary of how L-3 now describes itself.
The fake Google servers reported to Google in 2008 are still owned by L-3, but if they assigned to anyone, they are bogons. But one subnet previously used (allegedly) by Paxfire in 2008 to hide fake Google servers appears to have popped up again recently in what appears to be a scam in which traffic from US service persons seeking insurance is hijacked and sent to a malware serving site. Nasty, huh? Another of these subnets has recently been named in the ongoing genuine but improperly issued certificate issue, in which a certificate for the International Criminal Court appears to have been given up to an imposter.
Another company which sells multi GB/second deep packet inspection equipment to ISPs and internet backbone providers is Cisco, which has been accused for many years of close cooperation with the Chinese government in its population surveillance and censorship programs. And a UK based company, Gamma International, apparently tried to sell its own DPI equipment to pre-revolution Egypt, and appears to maintain an office in Syria. And there are possible indications here that a third company, Paxfire, may be involved in something which ought to concern the US Congress, even if trampling on consumer rights does not.
[ link to this | view in chronology ]
Why not publically?
[ link to this | view in chronology ]
The role of Ad-Base Systems, L-3 Communications, HBGary
The EFF summary and these two research papers are well worth reading:
http://www.eff.org/deeplinks/2011/07/widespread-search-hijacking-in-the-us
http://www.ici r.org/christian/publications/2011-satin-netalyzr.pdf
http://www.usenix.org/event/leet11/tech/full_p apers/Zhang.pdf
The EFF researchers admitted they were surprised that millions of US persons turn out to have been victimized in this DNS hijacking, but their figure agrees with my estimate in 2008.
In the papers, "ISP" can be confusing. The researchers found that all the searches of 98% of the customers of Ad-Base Systems, based in Pittsburgh, were being hijacked (apparently by Paxfire boxes, with the connivance of Ad-Base). Ad-Base is not only a local ISP in that area but also operates a "managed modem" business, so dial-up customers of many local ISPs in other areas were actually being redirected to Ad-Base, and then their search requests were being sent to fake Google servers, apparently actually operated by Paxfire. In 2008 I found that some of these servers seemed to be registered to L-3 Communications and Internap, which also agrees with the EFF researcher's findings. L-3 is the eighth largest US federal government contractor, and the nature of its business raises questions about its involvement in this business:
https://secure.wikimedia.org/wikipedia/en/wiki/L-3_Communications
[quote]
L-3 Communications Holdings, Inc. (NYSE: LLL) is a company that supplies command and control, communications, intelligence, surveillance and reconnaissance (C3ISR) systems and products, avionics, ocean products, training devices and services, instrumentation, space, and navigation products. Its customers include the Department of Defense, Department of Homeland Security, U.S. Government intelligence agencies, NASA, aerospace contractors and commercial telecommunications and wireless customers.
[/quote]
The HBGary leak revealed that L-3 had solicited a prospectus from HBGary for a project which appears morally ambiguous, to say the least.
[ link to this | view in chronology ]
The managed modem business
Some other companies which appeared to be associated with rogue servers in 2008 were Allmar Networks and WOW.
As examples of Paxfire boxes performing typo-squatting: it seems that customers of some ISPs trying to search Google have recently wound up at pages with urls like this:
goto.searchassist.com/find?p=paxfire&s=www.wikipedia.org&t=9_33_1_0_1_12_1
autocorre ct.sendori.com/autocorrect?p=paxfire&t=9_31_1_42_1_0_27
goto.searchassist.com/find?p=paxfire&s=wwwurnextenant.info&t=9_33_1_0_1_12_1 goto.searchassist.com/find?p=paxfire &s=www.sabteahval.ir&t=9_33_1_0_1_12_1 goto.searchassist.com/find?p=paxfire&s=axxo.superfundo.org&t=9_26_1_0_1_4_1 goto.searchassist.com/find?p=paxfire&s=www.mcdgc.go.tz&t=9_33_1_0_1_12_1 goto.searchassist.com/find?p=paxfire&s=goto.searchassist.comhttp%3A&t=9_33_1_0_1_12_2 hxxp://goto.searchassist.com/ find?p=paxfire &s=www.cfjvhjgcjfvhgkjh.net goto.searchassist.com/find?p=paxfire&s=www.filesonic.com&t=9_32_1_0_1_7_2
In these examples, something like wwwurnextenant.info is obviously a typo, but www.filesonic.com should resolve just fine. This is already objectionable and possibly illegal, I think. But what the EFF researchers found (as did I and others in 2008) is that Paxfire is in many cases hijacking ALL search requests, regardless of whether any typos occur, with Paxfire's meddling being entirely hidden from the user (the fake Google pages being visually indistinguishable from the real thing). See
http://knol.google.com/k/dns-squatting
How Paxfire stole Google.com - and nobody noticed.
Joseph Harris
8 August 2008
for a screenshot from 2008, obtained by an ISP tech. In 2008, it seems that at least some ISPs which had hired GlobalPops were misled about the causes of customer complaints of hijacking. Surely that cannot be legal, can it?
I believe that investigations by Attorneys General of the various states, the Congress, the FTC, and the Department of Commerce (which investigated Paxfire back around 2005) are warranted.
[ link to this | view in chronology ]
Why is Paxfire apparently hiding its fake Google servers behind front companies?
8.15.228.0/24
69.25.221.0.24
Anyone can look up the registration:
8.15.228.0/24 is associated with
Co-Location.com Inc.
Development Gateway, Inc.
Level 3 Communications, Inc.
The first and last are two companies which came up when I investigated hijacking (of ALL searches, not just "typos") in 2008. The second, oddly, claims to be a company which works with the UN to develop communication tools.
69.25.221.0.24 is associated with:
Almar Networks LLC
Internap Network Services Corporation
As I said earlier, both these companies also came up in 2008 investigations as apparently having some murky affiliation with Paxfire. See the Knol by Joseph Harris.
Here some addresses for Almar Networks LLC which appear on the web:
ALMAR NETWORKS, LLC
4231 DANT BLVD
RENO, NV 89509-7020
Almar Networks LLC
297 Kingsbury Grade, Suite D
Post Office Box 4470
Lake Tahoe, NV 89449-4470
Almar Networks LLC
Stateline, NV
And at www.nvsos.gov/SOSEntitySearch/CorpDetails.aspx? we find that Almar is a registered commercial agent in the US State of Nevada, which is "managed" by
PAXFIRE INC.
45665 WILLOW POND PLAZA
STERLING, VA 20164
Some other companies also turn up which appear to be affiliated with Almar, in places like Florida and Zurich, so following the corporate structure should be a fruitful line of investigation.
[ link to this | view in chronology ]
A consumer and a Paxfire victim, one of millions
I am not affiliated in any way with Google, Comcast, Microsoft, or any other company, and I have absolutely no financial interest whatever in this mess. I am simply a consumer, a customer of an ISP and a former (current?) victim of Paxfire search term hijacking, possibly the one described in the Knol by Joseph Harris.
It is crucial to understand that, as my ISP verified in 2008 in independent testing, ALL my google searches were being hijacked, and this appeared to be true for ALL the customers of my ISP.
Once again I would like to draw the attention of reporters to the multiple-redirection documented by the research papers cited above. The authors note that this appears to be designed to fool advertisers into paying for supposed click throughs by many customers, when in fact these companies are paying because the search of one consumer was hijacked by equipment operated by murky companies which appear to be front companies for Paxfire. Now there is a name for that, isn't there? Its called click-jacking, isn't it?
Mark Lewyn's protests that his company is doing nothing wrong, that this is all due to misunderstanding by consumers of what is going wrong with their searches, that if anything did go wrong it is only "by mistake" [sic], are in my view simply not credible. If this is "all a misunderstanding", why do so many people, including admins for ISPs, say that Paxfire appears to routinely deceive them (the admins), not to mention the consumer?
I renew my call for investigation of Paxfire by the US Congress and by the Attorneys General of the US states (they can start by calling the AG of Nevada to ask about the relations between Almar and Paxfire, and the AG of Pennsylavania, to ask about the relations between Ad-Base, GlobalPops, and Paxfire).
[ link to this | view in chronology ]