Ad campaign
Network anomalies reported in Egypt in 2016 sparked an investigation by OONI, leading to the publication of a research report that unveiled the covert presence of what appears to be an ad campaign. OONI’s investigation found that at least one ISP, state-owned Telecom Egypt (TE), was using Deep Packet Inspection (DPI) technology to conduct man-in-the-middle attacks to redirect users (attempting to access certain sites, such as pornography) to affiliate ads or malware.
A few months ago, the Citizen Lab published a research report which built upon OONI’s investigation, uncovering the breadth and scale of Egypt’s use of DPI devices to covertly raise money through affiliate ads and cryptocurrency mining. More specifically, they found that the ad injection identified by OONI in 2016 was probably the result of Sandvine PacketLogic devices and that (at least) 17 Egyptian ISPs carried out such injections. They also found that ISPs redirected users’ unencrypted HTTP connections to browser cryptocurrency mining scripts, in addition to revenue-generating content, such as affiliate ads.
Our analysis of all OONI Probe network measurements collected from Egypt over the last year includes hundreds of measurements (collected from multiple ASNs) that show the redirection of unencrypted HTTP connections to affiliate ads and cryptocurrency mining scripts, suggesting the presence of an ad campaign. Egyptian ISPs don’t seem to have a common policy in terms of how they implement redirects over time. In some cases, they appear to be implementing a chain of HTTP redirects, while in other cases, they implemented intermediate javascript-based redirects (which were sometimes obfuscated). And in some other cases, the redirects appear to be served directly from their DPI equipment.
The following table summarizes the amount of redirects that we found per ASN in each month between June 2017 to March 2018 (after which we found no other redirects in OONI measurements). We also provide a sample of some of the affected URLs and redirects per month, and list the total amount of measurements presenting redirects per ASN.
|
Date |
Affected ASNs & Redirect Count |
Sample of Affected URLs |
Traffic Sinks |
|
2017-06 |
28 — LINKdotNET, 23 — TE Data,4 — Etisalat |
and 31 more. |
|
|
2017-07 |
23 — TE Data,
13 — LINKdotNET, 1 — Noor |
2 “dead” websites |
|
|
2017-08 |
54 — TE Data,
15 — LINKdotNET, 2 — Noor |
and 9 more |
|
|
2017-09 |
30 — TE Data,
7 — LINKdotNET, 1 — Noor |
anpbolivia.com, and 4 more |
|
|
2017-10 |
32 — TE Data |
ppsmo.org and 2 more |
|
|
2017-11 |
29 — TE Data,
6 — LINKdotNET, 3 — Vodafone |
2 “dead” websites |
|
|
2017-12 |
60 — TE Data,
7 — LINKdotNET, 3 — Noor |
and 34 more |
|
|
2018-01 |
3 — Vodafone,
2 — TE Data, 1 — LINKdotNET, 1 — Noor |
and 4 more |
|
|
2018-02 |
3 — LINKdotNET,
2 — TE Data |
and 2 more |
|
|
2018-03 |
2 — TE Data,
1 — LINKdotNET |
bglad.com and one more |
From the above table, it’s evident that (at least) five Egyptian ISPs carried out an ad campaign between June 2017 to March 2018: Link Egypt, Telecom Egypt, Etisalat Misr, Noor, and Vodafone. Based on OONI measurements, these ISPs redirected unencrypted HTTP connections to content hosting affiliate ads. The above table includes some of the affected URLs per month, including: the Palestinian Prisoner Society, the Women’s International League for Peace and Freedom, the Women’s Initiatives for Gender Justice and Women in Black.
Detailed information based on our analysis, showing all of the affected sites and the injected redirects, is available here. A wide range of different types of sites were affected, including news websites, human rights sites, LGBTQI sites, VPN sites, Israeli sites, and porn sites. Egyptian ISPs even appear to redirect users attempting to access websites of the United Nations, such as un.org and ohchr.org.
Interestingly enough, we have not found any redirects or traces of an ad campaign after 9th March 2018, which coincides with the publication of the Citizen Lab’s research report on the issue. That said, it remains unclear if the ad campaign has terminated or not, particularly since the lack of redirects in recent measurements could potentially be attributed to a number of factors.
The above table, for example, shows that different URLs have been affected over time, and that redirects were only served for some URLs for a few months. We therefore cannot exclude the possibility of redirects being served for other URLs that weren’t tested over the last few months. Our findings are limited by the amount and types of URLs that were tested during this study, as well as by the URL selection bias (see the Methodology and Acknowledgement of Limitations sections of this report).
It’s worth highlighting that not all of the redirects that we found in OONI Probe measurements are malicious or for profit. Egyptian ISPs also injected notifications to inform users that they’re using outdated browsers (without proposing a specific browser, but redirecting to https://browsehappy.com/) and to remind them to top up their accounts.
Localizing middleboxes
Over the last year, localizing middleboxes used as part of ad campaigns in Egypt has become more challenging. In 2016, OONI reported that their latency analysis showed that Deep Packet Inspection (DPI) equipment sent redirects before a website sent its HTTP response, without terminating the session to the server (hence sending `408 Request Timeout` errors). This helped refute the hypothesis of sites potentially being infected with malware as part of redirects to malicious content.
The Citizen Lab’s recent report, however, shows that the redirects were injected upon receipt of an HTTP response, rather than an HTTP request. This suggests that Egyptian ISPs may have changed their DPI equipment over the last year and a half, raising the question of whether it has potentially been tuned to avoid latency-based detection.
Given that we haven’t found redirects in recent OONI measurements post March 2018 (as mentioned in the previous section), our ability to examine this further has been limited.
