HideOnly 1 day left to get your copy of the CIA's declassified training game by backing CIA: Collect It All on Kickstarter »
HideOnly 1 day left to get your copy of the CIA's declassified training game by backing CIA: Collect It All on Kickstarter »

ISPs Accused Of Hijacking Search Terms, Redirecting Browser Results To Marketer's Websites

from the yikes dept

It's really quite stunning that ISPs and marketers haven't yet realized that hijacking users' browser functions and redirecting them for marketing purposes could get them into serious trouble. They just keep doing it. The latest involves "more than 10 ISPs" in the US who have been secretly hijacking search terms and redirecting users directly to marketers' websites. That is, if you typed "apple" into a browser search box, the service could take you directly to Apple's website, rather than to search results. In this case, the search query never even reaches your search engine of choice, being intercepted by the ISP, via a partner called Paxfire. Christian Kreibich and Nicholas Weaver, at Berkeley, discovered this and have been tracking it for a few months. Apparently, they found 165 search terms being used in this manner, including: "apple" and "dell" and "safeway" and "bloomingdales."

From the article, it's not clear if the companies such as those listed above are actually responsible. Instead, it looks like it may be part of an affiliate program, whereby a company signs up as an affiliate to such stores, then uses this kind of deal with an ISP to generate massive affiliate fees, some of which get kicked back to the ISP.

The report notes that Google became aware of this earlier this year and complained privately about it (why not publicly?). That resulted in the ISPs no longer intercepting Google traffic (which is the majority of search traffic), but it's still pretty questionable. Either way, the excellent New Scientist report (linked above) also notes that a class action lawsuit has already been filed here, claiming that this violates the Wiretap Act.

What's most amazing to me, however, is that anyone involved in schemes like this don't think that it will eventually come out, and that they'll (a) look terrible and (b) get sued.

Reader Comments

Subscribe: RSS

View by: Time | Thread

  • identicon
    Anonymous Coward, 5 Aug 2011 @ 2:44pm

    Civil suit? No, this should be a federal criminal case

    This clearly spans state boundaries, therefore the feds have jurisdiction. And it's clearly illegal wiretapping, AND it may fall under RICO. The feds should come down on those responsible as hard as they possibly can -- I think a lifetime prison sentence for them might just have a little value in discouraging the next idiots who think of trying this.

    reply to this | link to this | view in chronology ]

    • icon
      :Lobo Santo (profile), 5 Aug 2011 @ 2:52pm

      Re: Civil suit? No, this should be a federal criminal case

      Good Science I hope you're right.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Aug 2011 @ 3:22pm

      Re: Civil suit? No, this should be a federal criminal case

      Yeah I had to re-read the first sentence a few times as well - one double negative too many

      reply to this | link to this | view in chronology ]

    • icon
      Manabi (profile), 6 Aug 2011 @ 3:37am

      Re: Civil suit? No, this should be a federal criminal case

      A lifetime sentence might be a bit much, but if the feds would pursue the actual company owners/CEOs/etc. with wiretapping charges, then convict some of them on those charges and put the actual people in jail, it might have a deterrent effect. Right now all that generally happens is there's lots of bad publicity and the company providing the technology either goes under, or renames/sells its assets off and repeats the procedure again in the future.

      But if you have the actual masterminds going to jail, well now, the number of people actually willing to take the risk to run such a company will quickly dwindle. Those stupid enough to continue to risk it will end up in jail, and the others will find something else to do. (Probably also unethical and immoral, but maybe not illegal.)

      reply to this | link to this | view in chronology ]

  • icon
    Dark Helmet (profile), 5 Aug 2011 @ 2:51pm

    Might wanna check that first sentence, Mike....

    reply to this | link to this | view in chronology ]

  • icon
    CD (profile), 5 Aug 2011 @ 3:57pm

    Comcast and Verizon.

    I had something similar happen back when I was using Avant Browser. I accidentally closed the Verizon FIOS web page and when I used the mouse gesture to reopen the last closed tab it loaded up to a Comcast page selling Internet Service. I did that about 4 or 5 times and it happened each time. I shot a video with my cell phone but I don't think it's of good resolution to see the URL of the page that was closed and that of the one that opened but you can see the images and page content clearly.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Aug 2011 @ 4:19pm

    this is why you should NEVER install any ISP software, even their "so-called" free anti-virus software. If you always use a router/switch, as you should, they connect to that and your PC/Laptop(s) connect to that and need NO software from your ISP.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Aug 2011 @ 4:20pm

    HTTPS Everywhere

    Perhaps due to some sort of synchronicity, HTTPS Everywhere 1.0 was released yesterday.

    reply to this | link to this | view in chronology ]

  • icon
    lucidrenegade (profile), 5 Aug 2011 @ 5:13pm

    ISP List

    Here's the list of ISPs from the article:

    Cincinnati Bell
    Insight Broadband
    Wide Open West
    XO Communication

    reply to this | link to this | view in chronology ]

  • icon
    faceless (profile), 5 Aug 2011 @ 5:55pm

    There is a similar problem with Mediacom, and they do this on such a low level that it still replaces error pages and search results even when using 3rd party DNS. And their 'Opt Out' page seems to forget that you opted out every few days to every few weeks.

    reply to this | link to this | view in chronology ]

  • identicon
    chris, 6 Aug 2011 @ 12:03am

    I've never heard much less experienced this before. I thought ISPs only did DNS Hijacking. In that case, all you miss out on is an error message. This sounds F'ed up. Using https://encrypted.google.com/ should put a stop to this.

    Since you posed the questions,

    (a) Only to an very small percentge of people who actually understand WTF just happened to their search.

    (b) Who's going to sue them? The average person is going to conclude it's not worth the time and expense. A privacy rights organization might. However the ISP will probably pull some kind of "it's in the TOS" deal and some crappy judge will uphold it.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Aug 2011 @ 9:57am

    just to clarify

    is this only happening to those that are utilizing the ISP`s nameservers?

    reply to this | link to this | view in chronology ]

  • identicon
    Freedom, 7 Aug 2011 @ 12:09pm

    Google -- why not publicly?

    >> The report notes that Google became aware of this earlier this year and complained privately about it (why not publicly?)

    If you haven't read the book by "Google Employee #59", it is a great insight into the company and also touches on why Google would handle something like this privately.

    The core gist of it (or at least how I read between the lines) is that Google ultimately knows that direct fights are expensive, have unintended consequences, etc. Essentially, they view "fighting the good fight" as declaring "war", and are very hesitant to do so. In contrast, their secret weapon is an incredibly talented tech team that can work around and solve these types of issues for themselves while staying under the radar.


    reply to this | link to this | view in chronology ]

  • identicon
    A. Non, 9 Aug 2011 @ 8:59am

    Google has known about this since at least 2008.

    reply to this | link to this | view in chronology ]

  • identicon
    A. Non, 9 Aug 2011 @ 10:33am

    Why will Congress not rid us of this pest?

    Paxfire apparently currently occupies quarters formerly used by a janatorial services company which seems to have employed youth offenders in Texas to clean toilets in Brooks Air Force base. Which is interesting because Paxfire is in a much dirtier business.

    Paxfire was founded in 2003, but appears to have been a spin-off from a slightly older company, Simena LLC, whose president, Seyzen Uysal, is an inventor named in at least one patent assigned to Paxfire. Both companies are located in Reston, VA, home of many companies which are involved in, shall we say, shady dealings involving the US government. Simena has about 5 employees and annual revenues of about 0.5 million, while Paxfire has about 21 employees with annual revenues of about 29 million. Paxfire operates servers in Asia, Europe, as well as the US, and has offices in the Holland, Germany, the United Kingdom; and Australia. Simena offers a device which sorts and tees traffic for further analysis (for example by a DPI box), while Paxfire offers devices which geolocates consumers and hijacks their search requests (often ALL search requests), sending the consumer to a fake Google server, a server which is actually operated by Paxfire, a company which has no business relations with Google (according to Google, and for once I believe the Chocolate Factory).

    Initial mention of Paxfire in the press came mostly from business writers who appear to have been inclined to give the benefit of the doubt to co-founders Mark Lewyn, a former reporter, and Allan Sullivan. What I find remarkable about later coverage from tech writers is the depth of personal revulsion at the business practices of Paxfire (and sleazy ISPs which install Paxfire boxes in their server rooms) which is apparent in their writing. Another interesting feature is that it appears to be standard practice for ISPs to deliberately mislead their own helpline employees and even admins about the presence and function of the Paxfire boxes. It even seems that some smaller ISPs which hired a "modem management company" based in Pittsburgh, Ad-Base Systems, may have misled the ISPs about the presence and function of Paxfire boxes which Ad-Base had installed in its server rooms, allegedly without the knowledge of the ISPs (or at least, their admins). As one might expect, call center techies and admins who find out that they have been passing on misinformations to consumers are usually quite angry when they learn they have been deceived by their own company (or its business partners). (See the Google Knol cited below.)

    Another aspect which doesn't come through very clearly in most of the coverage is the extent to which Paxfire tries to hide its ownership of the fake Google servers behind front companies, and more generally of its business activities. It appears to describe itself by saying it offers "telecommunication services, namely, electronic data reception and transmission", which is obviously extremely misleading. One page even mispells Mark Lewyn's last name.

    Reaction to VeriSign's New 36-Hour Deadline
    CircleID, 3 October 2003

    Broken Links Lined With Gold for Paxfire
    Washington Post, 30 January 2005

    Interview with Mark Lewyn, Paxfire.
    Mark talks about his experience raising money from the CIT GAP fund.
    Keywords: Mark Lewyn Paxfire CIT GAP raising money
    MeThings, 14 Jul 2005

    Washington Post
    Recent Deals, 23 May 2005
    Paxfire Inc. , an Internet traffic reduction company in Reston, sold $2.1 million of series A preferred stock to three investors, according to an SEC filing. Paxfire will use the money for working capital. On Demand Venture Fund of San Francisco and three Paxfire executives were listed as beneficial owners.

    The Typo Millionaires
    The sordid history of the oldest scam on the Internet—and how to kill it off once and for all.
    By Paul Boutin
    Slate, 11 February 2005

    DNS Squatting
    The marketers are out to get you... and your little browser too.
    How Paxfire stole Google.com - and nobody noticed. An introduction to DNS Squatting - why you should understand how it works and how it affects you when unscrupulous marketers play games with your DNS.
    Joseph Harris
    Google Knol, August 2008

    http://www.newscientist.com/article/dn20768-us-internet-providers-hijacking-users-search-queries.h tml
    US internet providers hijacking users' search queries
    Jim Giles
    New Scientist, 4 August 2011

    Widespread Hijacking of Search Traffic in the United States
    Christian Kreibich (ICSI), Nicholas Weaver (ICSI) and Vern Paxson, with Peter Eckersley (EFF).
    EFF, 4 August 2011

    http://arstechnica.com/tech-policy/news/2011/08/small-isps-turn-to-malicious-dns-servers-to- make-extra-cash.ars
    Small ISPs use "malicious" DNS servers to watch Web searches, earn cash
    Nate Anderson
    Ars Technica, 5 August 2011

    10 ISPs Using Paxfire Tech to Track Users, Hijack Results
    Karl Bode
    DSL Reports, 5 August 2011

    Why ISPs are hijacking your search traffic & how they profit from it
    Jolie O'Dell
    Venture Beat, 5 August 2011

    Big US ISPs hijack search traffic
    Inquirer, 5 August 2011

    http://www.maximumpc.com/article/news/several_us_isps_hijacking_and_redirecting_their_custom ers_search_queries
    Several US ISPs Hijacking And Redirecting Their Customers' Search Queries
    Brad Chacos
    MaximumPC, 5 August 2011

    http://techcrunch.com/2011/08/05/study-some-isps-still-hijacking-search-results-lawsuit-foll ows/
    Study: Some ISPs Still Hijacking Search Results (Lawsuit Follows)
    Devin Coldewey
    Techcrunch, 5 August 2011

    http://boingboing.net/2011/08/05/many-us-isps-in-epidemic-of-covert-search-hijacking-of-thei r-customers.html
    Many US ISPs in epidemic of covert search-hijacking of their customers
    Cory Doctorow
    BoingBoing, 5 August 2011

    See also
    US Patent 7631101, Systems and methods for direction of communication traffic
    US Patent 7310686, Apparatus and method for transparent selection of an Internet server based on geographic location of a user

    The Wikipedia article was apparently edited by Lewyn and has recently been moved which erased prior history; see
    The version as on 8 August seemed pretty good, but it is strange that it describes Paxfire as a "startup" since it has been operating since 2003.

    So why has Paxfire been allowed to operate unmolested for so long, despite such widespread knowlege of and revulsion from its business practices? Practices which, everyone seems to agree, are either criminal or ought to be? The explanation might be some contributions during the most recent presidential election:

    Dou g, Armentrout, COO, Paxfire, $250, National Republican Trust PAC
    Kris Carter, General Counsel, Paxfire, $250, National Republican Trust PAC
    Michael Subotin, Research Scientist, $1050 (total), Obama for America

    Is that really the price of protection? A mere 1500? Can't we collectively beat that and put this company out of business and its executives in the dock?

    Actually, the true story may be even worse than that. Several of the fake Google servers reported to Google in 2008 were registered to L-3 Communications. Back in 2008, L-3's webpages said little about the nature of its business, and the Wikipedia article described L-3 as a company which owned a lot of dark fiber. Convenient if you want to hide something ugly. But the current Wikipedia article is much more accurate. L-3 Communications is in fact the 8th largest US federal government contractor, with about 3.8 billion in federal contracts in 2011. It has annual revenue of about 15.7 billion, employs some 63,000 people, has offices all over the world. Its business? The current Wikipedia article says
    L-3 Communications ... supplies command and control, communications, intelligence, surveillance and reconnaissance (C3ISR) systems and products, avionics, ocean products, training devices and services, instrumentation, space, and navigation products. Its customers include the Department of Defense, Department of Homeland Security, U.S. Government intelligence agencies, NASA, aerospace contractors and commercial telecommunications and wireless customers.
    And this description is an accurate summary of how L-3 now describes itself.

    The fake Google servers reported to Google in 2008 are still owned by L-3, but if they assigned to anyone, they are bogons. But one subnet previously used (allegedly) by Paxfire in 2008 to hide fake Google servers appears to have popped up again recently in what appears to be a scam in which traffic from US service persons seeking insurance is hijacked and sent to a malware serving site. Nasty, huh? Another of these subnets has recently been named in the ongoing genuine but improperly issued certificate issue, in which a certificate for the International Criminal Court appears to have been given up to an imposter.

    Another company which sells multi GB/second deep packet inspection equipment to ISPs and internet backbone providers is Cisco, which has been accused for many years of close cooperation with the Chinese government in its population surveillance and censorship programs. And a UK based company, Gamma International, apparently tried to sell its own DPI equipment to pre-revolution Egypt, and appears to maintain an office in Syria. And there are possible indications here that a third company, Paxfire, may be involved in something which ought to concern the US Congress, even if trampling on consumer rights does not.

    reply to this | link to this | view in chronology ]

  • identicon
    A. Non, 9 Aug 2011 @ 12:37pm

    Why not publically?

    My (much) longer comment appears to have been lost, but I believe that identicon's guess is correct, based on my own conversations about this issue with Google.

    reply to this | link to this | view in chronology ]

  • identicon
    A. Non, 9 Aug 2011 @ 12:54pm

    The role of Ad-Base Systems, L-3 Communications, HBGary

    I meant "Freedom"'s comment.

    The EFF summary and these two research papers are well worth reading:
    http://www.ici r.org/christian/publications/2011-satin-netalyzr.pdf
    http://www.usenix.org/event/leet11/tech/full_p apers/Zhang.pdf
    The EFF researchers admitted they were surprised that millions of US persons turn out to have been victimized in this DNS hijacking, but their figure agrees with my estimate in 2008.

    In the papers, "ISP" can be confusing. The researchers found that all the searches of 98% of the customers of Ad-Base Systems, based in Pittsburgh, were being hijacked (apparently by Paxfire boxes, with the connivance of Ad-Base). Ad-Base is not only a local ISP in that area but also operates a "managed modem" business, so dial-up customers of many local ISPs in other areas were actually being redirected to Ad-Base, and then their search requests were being sent to fake Google servers, apparently actually operated by Paxfire. In 2008 I found that some of these servers seemed to be registered to L-3 Communications and Internap, which also agrees with the EFF researcher's findings. L-3 is the eighth largest US federal government contractor, and the nature of its business raises questions about its involvement in this business:

    L-3 Communications Holdings, Inc. (NYSE: LLL) is a company that supplies command and control, communications, intelligence, surveillance and reconnaissance (C3ISR) systems and products, avionics, ocean products, training devices and services, instrumentation, space, and navigation products. Its customers include the Department of Defense, Department of Homeland Security, U.S. Government intelligence agencies, NASA, aerospace contractors and commercial telecommunications and wireless customers.

    The HBGary leak revealed that L-3 had solicited a prospectus from HBGary for a project which appears morally ambiguous, to say the least.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Aug 2011 @ 1:10pm

    The managed modem business

    Forgot to say that Ad-Base System's managed modem business is called GlobalPops.

    Some other companies which appeared to be associated with rogue servers in 2008 were Allmar Networks and WOW.

    As examples of Paxfire boxes performing typo-squatting: it seems that customers of some ISPs trying to search Google have recently wound up at pages with urls like this:
    autocorre ct.sendori.com/autocorrect?p=paxfire&t=9_31_1_42_1_0_27
    goto.searchassist.com/find?p=paxfire&s=wwwurnextenant.info&t=9_33_1_0_1_12_1 goto.searchassist.com/find?p=paxfire &s=www.sabteahval.ir&t=9_33_1_0_1_12_1 goto.searchassist.com/find?p=paxfire&s=axxo.superfundo.org&t=9_26_1_0_1_4_1 goto.searchassist.com/find?p=paxfire&s=www.mcdgc.go.tz&t=9_33_1_0_1_12_1 goto.searchassist.com/find?p=paxfire&s=goto.searchassist.comhttp%3A&t=9_33_1_0_1_12_2 hxxp://goto.searchassist.com/ find?p=paxfire &s=www.cfjvhjgcjfvhgkjh.net goto.searchassist.com/find?p=paxfire&s=www.filesonic.com&t=9_32_1_0_1_7_2
    In these examples, something like wwwurnextenant.info is obviously a typo, but www.filesonic.com should resolve just fine. This is already objectionable and possibly illegal, I think. But what the EFF researchers found (as did I and others in 2008) is that Paxfire is in many cases hijacking ALL search requests, regardless of whether any typos occur, with Paxfire's meddling being entirely hidden from the user (the fake Google pages being visually indistinguishable from the real thing). See

    How Paxfire stole Google.com - and nobody noticed.
    Joseph Harris
    8 August 2008

    for a screenshot from 2008, obtained by an ISP tech. In 2008, it seems that at least some ISPs which had hired GlobalPops were misled about the causes of customer complaints of hijacking. Surely that cannot be legal, can it?

    I believe that investigations by Attorneys General of the various states, the Congress, the FTC, and the Department of Commerce (which investigated Paxfire back around 2005) are warranted.

    reply to this | link to this | view in chronology ]

  • identicon
    A. Non, 10 Aug 2011 @ 12:57pm

    Why is Paxfire apparently hiding its fake Google servers behind front companies?

    The paper by Weaver et al., "Implications of Netalyzr's DNS Measurements", mentions two subnets:

    Anyone can look up the registration: is associated with
    Co-Location.com Inc.
    Development Gateway, Inc.
    Level 3 Communications, Inc.
    The first and last are two companies which came up when I investigated hijacking (of ALL searches, not just "typos") in 2008. The second, oddly, claims to be a company which works with the UN to develop communication tools. is associated with:
    Almar Networks LLC
    Internap Network Services Corporation

    As I said earlier, both these companies also came up in 2008 investigations as apparently having some murky affiliation with Paxfire. See the Knol by Joseph Harris.

    Here some addresses for Almar Networks LLC which appear on the web:

    4231 DANT BLVD
    RENO, NV 89509-7020

    Almar Networks LLC
    297 Kingsbury Grade, Suite D
    Post Office Box 4470
    Lake Tahoe, NV 89449-4470

    Almar Networks LLC
    Stateline, NV

    And at www.nvsos.gov/SOSEntitySearch/CorpDetails.aspx? we find that Almar is a registered commercial agent in the US State of Nevada, which is "managed" by
    STERLING, VA 20164

    Some other companies also turn up which appear to be affiliated with Almar, in places like Florida and Zurich, so following the corporate structure should be a fruitful line of investigation.

    reply to this | link to this | view in chronology ]

  • identicon
    A. Non, 10 Aug 2011 @ 1:31pm

    A consumer and a Paxfire victim, one of millions

    Forget to say:

    I am not affiliated in any way with Google, Comcast, Microsoft, or any other company, and I have absolutely no financial interest whatever in this mess. I am simply a consumer, a customer of an ISP and a former (current?) victim of Paxfire search term hijacking, possibly the one described in the Knol by Joseph Harris.

    It is crucial to understand that, as my ISP verified in 2008 in independent testing, ALL my google searches were being hijacked, and this appeared to be true for ALL the customers of my ISP.

    Once again I would like to draw the attention of reporters to the multiple-redirection documented by the research papers cited above. The authors note that this appears to be designed to fool advertisers into paying for supposed click throughs by many customers, when in fact these companies are paying because the search of one consumer was hijacked by equipment operated by murky companies which appear to be front companies for Paxfire. Now there is a name for that, isn't there? Its called click-jacking, isn't it?

    Mark Lewyn's protests that his company is doing nothing wrong, that this is all due to misunderstanding by consumers of what is going wrong with their searches, that if anything did go wrong it is only "by mistake" [sic], are in my view simply not credible. If this is "all a misunderstanding", why do so many people, including admins for ISPs, say that Paxfire appears to routinely deceive them (the admins), not to mention the consumer?

    I renew my call for investigation of Paxfire by the US Congress and by the Attorneys General of the US states (they can start by calling the AG of Nevada to ask about the relations between Almar and Paxfire, and the AG of Pennsylavania, to ask about the relations between Ad-Base, GlobalPops, and Paxfire).

    reply to this | link to this | view in chronology ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.