True Internet’s transparent proxy has been compromised, giving the attackers the ability to insert pop-up ads and to spy on users for months before details were made public.
Users of True fixed-line Internet across the country have been complaining of odd pop-up ads.
Twitter users @_jacobfish and @sajal published a detailed analysis of the attack, noting that the hackers were doing it for financial gain through affiliate programs. Most of the ads served from Google though a JavaScript applet were compromised with a hacked .js file served instead of the genuine Google version, and contained hard-coded links to certain sites.
The JavaScript file has an expiry of one year, so the malicious links will continue to be served for a year unless users clear their caches even if the compromise ends.
Jacob says that users have been complaining about the popups for months but to no avail.
However, hours after the technical details of the attack were published, the hijacking ceased. Whether it was True engineers waking up and fixing the problem or the hackers deciding to cover their tracks was not clear.
The way the attack was carried out calls into question Thailand’s censorship by proxy system that all ISPs apply. While this attack seemed to have only served compromised .js files that inserted ads, more dangerous payloads could have easily been inserted. It also would allow whoever controls the proxy to monitor the internet usage habits of users.