Sometimes, we think we have seen it all regarding government exploitation, but new evidence from the University of Toronto suggests that some governments are ripping off users in internet scams. Egypt, Turkey, and Syria are all shown to have misdirected web traffic on civilian computers, for purposes such as downloading malware, trapping users in a maze of advertisements, and cryptojacking.
According to researchers at the University of Toronto, Egypt may be infecting citizens’ computers with malware that mines for Monero. The report details that the Egyptian Government, or at least entities with strong government ties, are hijacking local internet connections on a large scale.
This type of intrusion is notoriously difficult to detect and has been called “the stuff of legend” by the researchers. The identified scheme is known as “AdHose,” and it redirects users web traffic to malware. AdHose needs hardware that has been installed within the networks of Telecom Egypt.
AdHose has been used in two ways for web traffic redirection.
First, the so-called spray mode affects any website that a person attempts to navigate towards. Browsers are redirected to crypto mining malware called Coinhive, or they are redirected to an ad network. The U Toronto researchers found that more than 90% of devices scanned in January of this year had been hijacked via AdHose.
The second mode for the hijack is called trickle mode. In this mode, web traffic is only redirected when specific sites are visited. Two sites, in particular, will always be redirected: CopticPope.org and Babylon-X.com, a religious site and a porn site, respectively and ironically. The hijackers continuously operate trickle mode.
Either way, the behavior is malicious and taking advantage of civilian internet use. The least the government could do is pay for crypto mining.
The hardware that AdHose relies on does more than just run the AdHose scheme. It also censors users. It blocks out websites like Al Jazeera and Human Rights Watch. Not only are users’ systems being taken advantage of, but users are also being kept in the dark about news, human rights abuses, and other information that might help them to make better decisions about their government.
Egypt is not the only country using methods like these. The research team found similar behavior in Turkey and Syria, but instead of the cryptojacker, users were sent to downloading supposed antivirus software. Of course, this software was spyware, in actuality.
According to the makers of the hardware implicated, the U Toronto report is misleading and incorrect. Sandvine, out of Canada, recently merged with Procera Networks in 2017. The manufacturer has not yet responded to the inquiry about this issue.