That attack stopped almost immediately after the news was blogged, but not before a network engineer on True Internet was able to duplicate the results independently and shared with me many of his logs.
True has also since issued an official reply saying that the issue was due to malware on users’ computers and not their fault.
“Our systems show no signs of being compromised and everything is functioning as normal. In the past True has had users complain of this behaviour and it was discovered that these users lacked sufficient protection which led to strange behaviour and changes in browser data,” the the spokesperson wrote to me in Thai.
The email went on to say that local caching was something done by every ISP in the world to improve users speed and quality of service and closed by reassuring me that they had in place continuous security tests to ensure quality of service for their customers.
It almost made me feel sorry for the PR person who had to write that letter considering the mountain of logs I had with evidence to the contrary.
To recap, for a number of months prior to the discovery, a small number of users were complaining of annoying pop-ups to a number of dodgy sites such bcduplicator.com, a Bitcoin ponzi-scheme site.
The problem was first reported to True, by a user known as @Icez, who posted his experience and analysis of the problem on popular Thai webboard pantip.com on 8 December - over a month before @_JacobFish’s English-language post.
A fresh install of Windows 8, Linux and even Android phones, with different web browsers (both Chrome and Firefox) were all tested and all exhibited the symptom intermittently.
Google has a number of servers that partner.googleadservices.com resolved to in the subnet 173.194.126./0. Fetching pubads_impl_32.js from most of the servers will return the full-size uncompromised version, but fetching it from 22.214.171.124 would result in the poisoned version.
However, this would only happen from within True Internet. Downloading the file from 126.96.36.199 via a VPN to somewhere or over Dtac 3G or from any other ISP would not yield the compromised file.
All this ceased on Saturday night, hours after Twitter users @_JacobFish published some details of the attack on a blog in English.
It would not be unreasonable to assume that someone had managed to compromise True’s transparent proxy to redirect Google’s 188.8.131.52 from the real address to a compromised server which served up the compromised file, the same way undesirable websites are censored in Thailand.
The question is, what does this all mean and should we be worried?
The network engineer who helped perform the analysis put it bluntly: True has no clue what they are doing and they issued that statement about users PC’s being infected with malware to save face. Well, actually he used a couple of expletives that would not be safe for publication, but that was the gist of it.
The optimistic view was that there was an attack, perhaps even an insider wanting to make some money on the side, which was detected by True and shut down on Saturday night. While on the other hand, True PR was given that statement to placate the public into a sense of security. Mainstream media bought the explanation and some newspapers printed True’s alabi verbatim.
The other possibility was that True really has no idea what happened and the hacker simply disabled the redirect and is lying low, still with access to True’s transparent proxy, still looking at the browsing habits of users, still ready to plant malware... perhaps this time of a more malicious nature rather than just cheap ponzi-scheme pop-up referrals.
Having a mega-corporation running things and controlling access to information (and food) is bad. Having a clueless mega-corporation that is out-run and out-witted by a hacker is even worse.