Controversy has erupted in Thai social media regarding two domains, truemoveh.com and truecorp.com which appear to have been squatted on and currently redirect to rival Dtac instead.
Neither of the domains actually belong to TrueMove H 3G, which is officially on truemoveh.truecorp.co.th and trumove-h.com
When accessing from any ISP except True, it redirects to dtac.co.th, or rather an iframe that points to dtac.co.th hosted out of a server in Singapore. When accessed from True or TrueMove, the ISP uses a DNS hijack to redirect users back to http://truemoveh.truecorp.co.th/ most of the time.
The three-way handshake takes just 80ms from a True ADSL port, suggesting that the DNS hijacking takes place within Thailand.
The other half the time it uses a 302 redirect to http://58.97.5.29/annouce/court.html which is an announcement page that the website has been blocked by Thailand’s ICT Ministry..
This DNS analysis suggests that True first tries a DNS hijack and if it slips through, which is occasionally does, then uses its transparent proxy to block access to truemoveh.com.
Meanwhile, users from all other ISPs all get directed to the Singapore server that hosts an iframe with dtac.co.th inside.
Dtac PR denied any knowledge of this and said it was not a guerilla marketing gimmick on its
part.
The DNS records for truemoveh.com were registered to someone by the name of Zuopan
with a Chinese address and an @qq.com email address, though all of this could have easily been faked. The registration is dated March 2011. Emails to the address went unanswered.