Friday, March 29, 2013

ISP Advertisement Injection - CMA Communications

Apple Inc. endorsing H&R Block with a beautiful bright green banner ad, compliments of CMA Communications.

Tired from the day’s events and travel, I had planned to quickly look up the specifications of a Mac Mini, respond to a few emails and then get some sleep. But as Apple.com rendered in my browser, I realized I was in for a long night. What I saw was something that would make both designers and computer programmers wince with great displeasure. At the bottom of the carefully designed white and grey webpage, appeared a bright neon green banner advertisement proclaiming: “File For Free Online, H&R Block”. I quickly deduced that either Apple had entered in to the worst cross-promotional deal ever, or my computer was infected with some type of malware. Unfortunately, I would soon discover there was a third possibility, something much worse.

Assuming I had somehow managed to install malware on my MacBook Pro, running OS X, I quickly turned off the wifi connection and began to investigate. I was visiting my parents for spring break, so I moved to one of their computers to run internet searches while I examined the evidence on my Mac. Opening Chrome, I was directed to Bing.com. I laughed to myself briefly, thinking: “who uses Bing?”, and then realized I was a computer science grad student who had managed to get malware on a Mac, so I wasn’t in a position to judge. But, just as I was about to navigate to Google, I noticed something familiar. At the bottom of Bing.com, there it sat, a banner advertisement in orange in white for AT&T Wireless. It was identical in positioning and size to the one on my Mac.

Bing sporting a classy AT&T Wireless Ad, courtesy of CMA Communications
I pulled out my phone, which runs an Android operating system, and navigated this time to Yahoo.com. At the bottom of the page: a misplaced banner ad which matched the proportions of the others. I am not great at statistics, but I was fairly certain the probability of identical malware on all of these devices was low. So, I moved to thing that these devices all shared: the same wireless network. 

I turned off wifi on my phone, and refreshed the Yahoo.com page. This time no banner ad. I refreshed a few more times, checked a few other sites, all was well. As soon as the phone was back on wifi, the banner ads appeared again, I had found the source. I pulled up the web inspector in Chrome and examined the source of a page which had the ad. Appended to the very end of the HTML file for the webpage, was a single line which called to r66t.com for a JavaScript file. 

This small line of code, added by CMA Communications wreaks havoc on most websites.

I investigated further and realized that the JavaScript file would not only place banner ads at the bottom of pages, but also replace existing advertisements on the page with new advertisements (sometimes even for a competing product). This was an aggressive move by someone, but who?

What's that Huffington Post? You sold ad space on your site? So did we! - CMA Communications

I needed to rule out that my parent’s router hadn’t somehow been compromised to modify websites. I hadn’t ever seen router malware in the wild, but I supposed with some effort it would be possible. First though, I ran a traceroute to see the route my internet requests were taking. There it was: an extra stop at a private IP address. I was soon able to show that HTTP internet traffic was being routed through a Squid proxy server.

A small tag that let's us know what CMA Communications is up to.

The proxy server had been setup by a company, R66T, that specializes in a few things, one being advertisement injection into webpages. I was soon able to confirm with one other person (via Reddit) using the same internet service provider that they were seeing the uninvited advertisements too. It was apparent at this point, that my parent’s ISP, CMA Communications, had started injecting advertisements into websites requested by their customers. I felt dissatisfied to say the least. So I spun into damage control mode, blocking all R66T owned domains on our network and preparing for battle the next day.

You might not be surprised to know that CMA Communications won’t confirm or deny that they are injecting advertisements into their customer’s web traffic. You also could probably guess that there aren’t any regulatory agencies that care either and that a complaint to the Better Business Bureau is not an effective remedy to the situation. Nor does the Electronic Frontier Foundation have resources or desire to assist in a case like this. But, I think there are some entities who should care. Who? How about Apple or Microsoft? It is their trademarks and brands which are being tarnished by this scheme. When a naive user experiences a bright green banner ad on an otherwise pristine Apple.com, they do not understand that Apple is not responsible for the content. After all, Apple must be endorsing H&R Block, as it’s right there on their website, with their logo next to it.  

Target's color scheme actually fits the Verizon ad placed by CMA Communications
For those of you who are still skeptical of this situation: suppose I started an advertising company based around the idea of me putting one company’s ad next another company’s logo, without their agreement. To take it further, suppose I started a service which opened people’s mail before it got to them, carefully replaced all the advertisements inside with different ones, and then sealed it back up and delivered it as if the original sender intended for it to be that way. I would probably go to jail for something like this. So why is CMA Communications allowed to perform a similar process in the digital world, without consequence? 

Oh, you sold ad space to Allstate? Here, let me cover that with our Progressive Ad. - CMA Communications

I would urge anyone who may be in a similar situation to file complaints, and let your voice be heard. If CMA Communications succeeds at this venture, it is certain that more ISPs will join in.  

UPDATE: For the super curious, here's a zip file of many more affected sites, as well as the BBB complaint info and the FCC complaint and response. Download it at: https://zmhenkel.com/CMAInjection.zip

Below are screenshots of a couple more of the many websites that are being actively modified by CMA Communications:

Amazon.com, ads by CMA Communications
LinkedIn proudly endorses Verizon. Thanks CMA Communications!