ISPs Accused Of Hijacking Search Terms, Redirecting Browser Results To Marketer's Websites

from the yikes dept

It’s really quite stunning that ISPs and marketers haven’t yet realized that hijacking users’ browser functions and redirecting them for marketing purposes could get them into serious trouble. They just keep doing it. The latest involves “more than 10 ISPs” in the US who have been secretly hijacking search terms and redirecting users directly to marketers’ websites. That is, if you typed “apple” into a browser search box, the service could take you directly to Apple’s website, rather than to search results. In this case, the search query never even reaches your search engine of choice, being intercepted by the ISP, via a partner called Paxfire. Christian Kreibich and Nicholas Weaver, at Berkeley, discovered this and have been tracking it for a few months. Apparently, they found 165 search terms being used in this manner, including: “apple” and “dell” and “safeway” and “bloomingdales.”

From the article, it’s not clear if the companies such as those listed above are actually responsible. Instead, it looks like it may be part of an affiliate program, whereby a company signs up as an affiliate to such stores, then uses this kind of deal with an ISP to generate massive affiliate fees, some of which get kicked back to the ISP.

The report notes that Google became aware of this earlier this year and complained privately about it (why not publicly?). That resulted in the ISPs no longer intercepting Google traffic (which is the majority of search traffic), but it’s still pretty questionable. Either way, the excellent New Scientist report (linked above) also notes that a class action lawsuit has already been filed here, claiming that this violates the Wiretap Act.

What’s most amazing to me, however, is that anyone involved in schemes like this don’t think that it will eventually come out, and that they’ll (a) look terrible and (b) get sued.

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “ISPs Accused Of Hijacking Search Terms, Redirecting Browser Results To Marketer's Websites”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Civil suit? No, this should be a federal criminal case

This clearly spans state boundaries, therefore the feds have jurisdiction. And it’s clearly illegal wiretapping, AND it may fall under RICO. The feds should come down on those responsible as hard as they possibly can — I think a lifetime prison sentence for them might just have a little value in discouraging the next idiots who think of trying this.

Manabi (profile) says:

Re: Civil suit? No, this should be a federal criminal case

A lifetime sentence might be a bit much, but if the feds would pursue the actual company owners/CEOs/etc. with wiretapping charges, then convict some of them on those charges and put the actual people in jail, it might have a deterrent effect. Right now all that generally happens is there’s lots of bad publicity and the company providing the technology either goes under, or renames/sells its assets off and repeats the procedure again in the future.

But if you have the actual masterminds going to jail, well now, the number of people actually willing to take the risk to run such a company will quickly dwindle. Those stupid enough to continue to risk it will end up in jail, and the others will find something else to do. (Probably also unethical and immoral, but maybe not illegal.)

CD (profile) says:

Comcast and Verizon.

I had something similar happen back when I was using Avant Browser. I accidentally closed the Verizon FIOS web page and when I used the mouse gesture to reopen the last closed tab it loaded up to a Comcast page selling Internet Service. I did that about 4 or 5 times and it happened each time. I shot a video with my cell phone but I don’t think it’s of good resolution to see the URL of the page that was closed and that of the one that opened but you can see the images and page content clearly.

chris says:

I’ve never heard much less experienced this before. I thought ISPs only did DNS Hijacking. In that case, all you miss out on is an error message. This sounds F’ed up. Using should put a stop to this.

Since you posed the questions,

(a) Only to an very small percentge of people who actually understand WTF just happened to their search.

(b) Who’s going to sue them? The average person is going to conclude it’s not worth the time and expense. A privacy rights organization might. However the ISP will probably pull some kind of “it’s in the TOS” deal and some crappy judge will uphold it.

Freedom says:

Google -- why not publicly?

>> The report notes that Google became aware of this earlier this year and complained privately about it (why not publicly?)

If you haven’t read the book by “Google Employee #59”, it is a great insight into the company and also touches on why Google would handle something like this privately.

The core gist of it (or at least how I read between the lines) is that Google ultimately knows that direct fights are expensive, have unintended consequences, etc. Essentially, they view “fighting the good fight” as declaring “war”, and are very hesitant to do so. In contrast, their secret weapon is an incredibly talented tech team that can work around and solve these types of issues for themselves while staying under the radar.


A. Non says:

Why will Congress not rid us of this pest?

Paxfire apparently currently occupies quarters formerly used by a janatorial services company which seems to have employed youth offenders in Texas to clean toilets in Brooks Air Force base. Which is interesting because Paxfire is in a much dirtier business.

Paxfire was founded in 2003, but appears to have been a spin-off from a slightly older company, Simena LLC, whose president, Seyzen Uysal, is an inventor named in at least one patent assigned to Paxfire. Both companies are located in Reston, VA, home of many companies which are involved in, shall we say, shady dealings involving the US government. Simena has about 5 employees and annual revenues of about 0.5 million, while Paxfire has about 21 employees with annual revenues of about 29 million. Paxfire operates servers in Asia, Europe, as well as the US, and has offices in the Holland, Germany, the United Kingdom; and Australia. Simena offers a device which sorts and tees traffic for further analysis (for example by a DPI box), while Paxfire offers devices which geolocates consumers and hijacks their search requests (often ALL search requests), sending the consumer to a fake Google server, a server which is actually operated by Paxfire, a company which has no business relations with Google (according to Google, and for once I believe the Chocolate Factory).

Initial mention of Paxfire in the press came mostly from business writers who appear to have been inclined to give the benefit of the doubt to co-founders Mark Lewyn, a former reporter, and Allan Sullivan. What I find remarkable about later coverage from tech writers is the depth of personal revulsion at the business practices of Paxfire (and sleazy ISPs which install Paxfire boxes in their server rooms) which is apparent in their writing. Another interesting feature is that it appears to be standard practice for ISPs to deliberately mislead their own helpline employees and even admins about the presence and function of the Paxfire boxes. It even seems that some smaller ISPs which hired a “modem management company” based in Pittsburgh, Ad-Base Systems, may have misled the ISPs about the presence and function of Paxfire boxes which Ad-Base had installed in its server rooms, allegedly without the knowledge of the ISPs (or at least, their admins). As one might expect, call center techies and admins who find out that they have been passing on misinformations to consumers are usually quite angry when they learn they have been deceived by their own company (or its business partners). (See the Google Knol cited below.)

Another aspect which doesn’t come through very clearly in most of the coverage is the extent to which Paxfire tries to hide its ownership of the fake Google servers behind front companies, and more generally of its business activities. It appears to describe itself by saying it offers “telecommunication services, namely, electronic data reception and transmission”, which is obviously extremely misleading. One page even mispells Mark Lewyn’s last name.

Reaction to VeriSign’s New 36-Hour Deadline
CircleID, 3 October 2003

Broken Links Lined With Gold for Paxfire
Washington Post, 30 January 2005

Interview with Mark Lewyn, Paxfire.
Mark talks about his experience raising money from the CIT GAP fund.
Keywords: Mark Lewyn Paxfire CIT GAP raising money
MeThings, 14 Jul 2005

Washington Post
Recent Deals, 23 May 2005
Paxfire Inc. , an Internet traffic reduction company in Reston, sold $2.1 million of series A preferred stock to three investors, according to an SEC filing. Paxfire will use the money for working capital. On Demand Venture Fund of San Francisco and three Paxfire executives were listed as beneficial owners.

The Typo Millionaires
The sordid history of the oldest scam on the Internet?and how to kill it off once and for all.
By Paul Boutin
Slate, 11 February 2005
DNS Squatting
The marketers are out to get you… and your little browser too.
How Paxfire stole – and nobody noticed. An introduction to DNS Squatting – why you should understand how it works and how it affects you when unscrupulous marketers play games with your DNS.
Joseph Harris
Google Knol, August 2008
US internet providers hijacking users’ search queries
Jim Giles
New Scientist, 4 August 2011
Widespread Hijacking of Search Traffic in the United States
Christian Kreibich (ICSI), Nicholas Weaver (ICSI) and Vern Paxson, with Peter Eckersley (EFF).
EFF, 4 August 2011
Small ISPs use “malicious” DNS servers to watch Web searches, earn cash
Nate Anderson
Ars Technica, 5 August 2011
10 ISPs Using Paxfire Tech to Track Users, Hijack Results
Karl Bode
DSL Reports, 5 August 2011
Why ISPs are hijacking your search traffic & how they profit from it
Jolie O’Dell
Venture Beat, 5 August 2011
Big US ISPs hijack search traffic
Inquirer, 5 August 2011
Several US ISPs Hijacking And Redirecting Their Customers’ Search Queries
Brad Chacos
MaximumPC, 5 August 2011
Study: Some ISPs Still Hijacking Search Results (Lawsuit Follows)
Devin Coldewey
Techcrunch, 5 August 2011
Many US ISPs in epidemic of covert search-hijacking of their customers
Cory Doctorow
BoingBoing, 5 August 2011

See also
US Patent 7631101, Systems and methods for direction of communication traffic
US Patent 7310686, Apparatus and method for transparent selection of an Internet server based on geographic location of a user

The Wikipedia article was apparently edited by Lewyn and has recently been moved which erased prior history; see
The version as on 8 August seemed pretty good, but it is strange that it describes Paxfire as a “startup” since it has been operating since 2003.

So why has Paxfire been allowed to operate unmolested for so long, despite such widespread knowlege of and revulsion from its business practices? Practices which, everyone seems to agree, are either criminal or ought to be? The explanation might be some contributions during the most recent presidential election:
Doug, Armentrout, COO, Paxfire, $250, National Republican Trust PAC
Kris Carter, General Counsel, Paxfire, $250, National Republican Trust PAC
Michael Subotin, Research Scientist, $1050 (total), Obama for America

Is that really the price of protection? A mere 1500? Can’t we collectively beat that and put this company out of business and its executives in the dock?

Actually, the true story may be even worse than that. Several of the fake Google servers reported to Google in 2008 were registered to L-3 Communications. Back in 2008, L-3’s webpages said little about the nature of its business, and the Wikipedia article described L-3 as a company which owned a lot of dark fiber. Convenient if you want to hide something ugly. But the current Wikipedia article is much more accurate. L-3 Communications is in fact the 8th largest US federal government contractor, with about 3.8 billion in federal contracts in 2011. It has annual revenue of about 15.7 billion, employs some 63,000 people, has offices all over the world. Its business? The current Wikipedia article says
L-3 Communications … supplies command and control, communications, intelligence, surveillance and reconnaissance (C3ISR) systems and products, avionics, ocean products, training devices and services, instrumentation, space, and navigation products. Its customers include the Department of Defense, Department of Homeland Security, U.S. Government intelligence agencies, NASA, aerospace contractors and commercial telecommunications and wireless customers.
And this description is an accurate summary of how L-3 now describes itself.

The fake Google servers reported to Google in 2008 are still owned by L-3, but if they assigned to anyone, they are bogons. But one subnet previously used (allegedly) by Paxfire in 2008 to hide fake Google servers appears to have popped up again recently in what appears to be a scam in which traffic from US service persons seeking insurance is hijacked and sent to a malware serving site. Nasty, huh? Another of these subnets has recently been named in the ongoing genuine but improperly issued certificate issue, in which a certificate for the International Criminal Court appears to have been given up to an imposter.

Another company which sells multi GB/second deep packet inspection equipment to ISPs and internet backbone providers is Cisco, which has been accused for many years of close cooperation with the Chinese government in its population surveillance and censorship programs. And a UK based company, Gamma International, apparently tried to sell its own DPI equipment to pre-revolution Egypt, and appears to maintain an office in Syria. And there are possible indications here that a third company, Paxfire, may be involved in something which ought to concern the US Congress, even if trampling on consumer rights does not.

A. Non says:

The role of Ad-Base Systems, L-3 Communications, HBGary

I meant “Freedom”‘s comment.

The EFF summary and these two research papers are well worth reading:
The EFF researchers admitted they were surprised that millions of US persons turn out to have been victimized in this DNS hijacking, but their figure agrees with my estimate in 2008.

In the papers, “ISP” can be confusing. The researchers found that all the searches of 98% of the customers of Ad-Base Systems, based in Pittsburgh, were being hijacked (apparently by Paxfire boxes, with the connivance of Ad-Base). Ad-Base is not only a local ISP in that area but also operates a “managed modem” business, so dial-up customers of many local ISPs in other areas were actually being redirected to Ad-Base, and then their search requests were being sent to fake Google servers, apparently actually operated by Paxfire. In 2008 I found that some of these servers seemed to be registered to L-3 Communications and Internap, which also agrees with the EFF researcher’s findings. L-3 is the eighth largest US federal government contractor, and the nature of its business raises questions about its involvement in this business:
L-3 Communications Holdings, Inc. (NYSE: LLL) is a company that supplies command and control, communications, intelligence, surveillance and reconnaissance (C3ISR) systems and products, avionics, ocean products, training devices and services, instrumentation, space, and navigation products. Its customers include the Department of Defense, Department of Homeland Security, U.S. Government intelligence agencies, NASA, aerospace contractors and commercial telecommunications and wireless customers.

The HBGary leak revealed that L-3 had solicited a prospectus from HBGary for a project which appears morally ambiguous, to say the least.

Anonymous Coward says:

The managed modem business

Forgot to say that Ad-Base System’s managed modem business is called GlobalPops.

Some other companies which appeared to be associated with rogue servers in 2008 were Allmar Networks and WOW.

As examples of Paxfire boxes performing typo-squatting: it seems that customers of some ISPs trying to search Google have recently wound up at pages with urls like this: & hxxp:// find?p=paxfire &
In these examples, something like is obviously a typo, but should resolve just fine. This is already objectionable and possibly illegal, I think. But what the EFF researchers found (as did I and others in 2008) is that Paxfire is in many cases hijacking ALL search requests, regardless of whether any typos occur, with Paxfire’s meddling being entirely hidden from the user (the fake Google pages being visually indistinguishable from the real thing). See
How Paxfire stole – and nobody noticed.
Joseph Harris
8 August 2008

for a screenshot from 2008, obtained by an ISP tech. In 2008, it seems that at least some ISPs which had hired GlobalPops were misled about the causes of customer complaints of hijacking. Surely that cannot be legal, can it?

I believe that investigations by Attorneys General of the various states, the Congress, the FTC, and the Department of Commerce (which investigated Paxfire back around 2005) are warranted.

A. Non says:

Why is Paxfire apparently hiding its fake Google servers behind front companies?

The paper by Weaver et al., “Implications of Netalyzr’s DNS Measurements”, mentions two subnets:

Anyone can look up the registration: is associated with Inc.
Development Gateway, Inc.
Level 3 Communications, Inc.
The first and last are two companies which came up when I investigated hijacking (of ALL searches, not just “typos”) in 2008. The second, oddly, claims to be a company which works with the UN to develop communication tools. is associated with:
Almar Networks LLC
Internap Network Services Corporation

As I said earlier, both these companies also came up in 2008 investigations as apparently having some murky affiliation with Paxfire. See the Knol by Joseph Harris.

Here some addresses for Almar Networks LLC which appear on the web:

RENO, NV 89509-7020

Almar Networks LLC
297 Kingsbury Grade, Suite D
Post Office Box 4470
Lake Tahoe, NV 89449-4470

Almar Networks LLC
Stateline, NV

And at we find that Almar is a registered commercial agent in the US State of Nevada, which is “managed” by

Some other companies also turn up which appear to be affiliated with Almar, in places like Florida and Zurich, so following the corporate structure should be a fruitful line of investigation.

A. Non says:

A consumer and a Paxfire victim, one of millions

Forget to say:

I am not affiliated in any way with Google, Comcast, Microsoft, or any other company, and I have absolutely no financial interest whatever in this mess. I am simply a consumer, a customer of an ISP and a former (current?) victim of Paxfire search term hijacking, possibly the one described in the Knol by Joseph Harris.

It is crucial to understand that, as my ISP verified in 2008 in independent testing, ALL my google searches were being hijacked, and this appeared to be true for ALL the customers of my ISP.

Once again I would like to draw the attention of reporters to the multiple-redirection documented by the research papers cited above. The authors note that this appears to be designed to fool advertisers into paying for supposed click throughs by many customers, when in fact these companies are paying because the search of one consumer was hijacked by equipment operated by murky companies which appear to be front companies for Paxfire. Now there is a name for that, isn’t there? Its called click-jacking, isn’t it?

Mark Lewyn’s protests that his company is doing nothing wrong, that this is all due to misunderstanding by consumers of what is going wrong with their searches, that if anything did go wrong it is only “by mistake” [sic], are in my view simply not credible. If this is “all a misunderstanding”, why do so many people, including admins for ISPs, say that Paxfire appears to routinely deceive them (the admins), not to mention the consumer?

I renew my call for investigation of Paxfire by the US Congress and by the Attorneys General of the US states (they can start by calling the AG of Nevada to ask about the relations between Almar and Paxfire, and the AG of Pennsylavania, to ask about the relations between Ad-Base, GlobalPops, and Paxfire).

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...