True Internet's proxy compromised

Don Sambandaraksa
13 Jan 2014

True Internet’s transparent proxy has been compromised, giving the attackers the ability to insert pop-up ads and to spy on users for months before details were made public.

Users of True fixed-line Internet across the country have been complaining of odd pop-up ads.

Twitter users @_jacobfish and @sajal published a detailed analysis of the attack, noting that the hackers were doing it for financial gain through affiliate programs. Most of the ads served from Google though a JavaScript applet were compromised with a hacked .js file served instead of the genuine Google version, and contained hard-coded links to certain sites.

The JavaScript file has an expiry of one year, so the malicious links will continue to be served for a year unless users clear their caches even if the compromise ends.

Jacob says that users have been complaining about the popups for months but to no avail.

However, hours after the technical details of the attack were published, the hijacking ceased. Whether it was True engineers waking up and fixing the problem or the hackers deciding to cover their tracks was not clear.

The way the attack was carried out calls into question Thailand’s censorship by proxy system that all ISPs apply. While this attack seemed to have only served compromised .js files that inserted ads, more dangerous payloads could have easily been inserted. It also would allow whoever controls the proxy to monitor the internet usage habits of users.

Related content

No Comments Yet! Be the first to share what you think!
This website uses cookies
This provides customers with a personalized experience and increases the efficiency of visiting the site, allowing us to provide the most efficient service. By using the website and accepting the terms of the policy, you consent to the use of cookies in accordance with the terms of this policy.