I was contacted by a number of users who shared their own experience with the annoying BCDuplicator pop-ups. The oldest I could verify was dated in September 2013 who documented his experience on the popular expat webboard ThaiVisa.
In most cases, True’s standard response was to send someone in, reset the router, and then blame the user for having a virus on their computer.
Instead of delivering Google’s targeted ad frameworks, the .js file was much smaller (7 kb instead of 59kb) and was hardcoded to deliver certain ads instead of Google’s.
Fresh installs of Windows and Linux using Chrome and Firefox have exhibited the symptom as has Android.
The delivery of the doctored file ceased on Saturday, 18 January, hours after it was blogged by a Twitter user by the name of @_jacobFish. Jacob has since taken down his blog and has disappeared, but that was only the beginning of the story.
It would seem that either True solved the problem that weekend or the attacker decided to stop the attacks and lie low. Emails shared with me from one of True’s customers however indicated that even by mid-week, the telco was still unable to replicate the issue and was asking users for help in doing so.
However, one network engineer set up a couple of scripts to repeatedly download pubads_impl_32.js from the relevant address and what happened surprised many.
Engineers must have wondered on and off if the attack was at the DNS server and for intermittent periods throughout last week, had turned off their own DNS resolver and instead forwarded DNS queries to Google’s DNS servers. Perhaps it was a DNS poisoning issue in the transparent proxy rather than a proxy issue per se.
A net neutrality dream come true? Some of my sources hailed it as a victory for a free internet all thanks to this unknown attacker.
The flip side was that resolving through Google DNS threw CDN networks into disarray. CDN depends on local resolving to identify the fastest local server and overnight True became a slow extension of the USA with content being delivered the long way round.
True sent me an email assuring me that the problem had been solved and I was ready to write about all this good news and how they had grown up, but then they had a relapse.
My contacts who had set up that script had expanded it to access content from the 100 most popular websites. The script would sound an alarm if the latency changed, essentially to act as an early warning system for True turning their transparent proxy back on, and turn it back on they did.
So the victory was short lived.
The original attack was simple - replace Google’s ads on just one of many servers with your own and make money. Had the ads not been annoying pop-ups perhaps nobody would have noticed. But the attacker had to get greedy and deliver more profitable, annoying pop-ups.
My network engineer friend said that what probably happened was that Google was probably angry at what True had been doing, allowing someone else (through lapse security) to syphon advertising revenue. So True was given a spanking and told to stop caching Google dynamic content, which they complied with.
The real question that nobody seems inclined to answer is whether the perpetrator has been caught and if not, does he still have access to True’s network?
All of this comes at an interesting point in time when the US is debating the loss of net neutrality. Thailand has never had net neutrality. Indeed, until a few years ago, IIG was a monopoly run by state telco CAT telecom but at least that part was deregulated. It is a scary reminder of what ISPs can do without net neutrality. Advertising revenue can easily be hijacked. Streaming can be disabled for competitors. Any OTT service can be blocked.
Indeed, that is already happening. Only if you are a giant like Google or Naver can you force the ISP to behave properly. Anyone else, any minnow, and they can stomp you out of existence without a second thought.
I wonder if anyone even is taking notice.