Several internet service providers across the United States are using an online service to secretly spy on, and redirect their subscribers’ online searches, according to a group of researchers at the International Computer Science Institute in Berkeley, California.
The ISPs are monitoring, intercepting, and redirecting the searches that their subscribers are performing through the search boxes in their browsers, say the researchers.
“Instead of returning a legitimate address for search.yahoo.com, www.bing.com, and (sometimes) www.google.com, these ISPs returned the address of proxy servers,” Nick Weaver, one of the researchers, told TPM.
“These proxy servers impersonate the legitimate search engine by transparently forwarding requests to the legitimate search engine, but have the ability to both monitor all queries and change the results.”
From TPM IdeaLAB: http://idealab.talkingpointsmemo.com/2011/08/researchers-us-internet-service-providers-are-hijacking-customers-searches.php
The governments of the United States, Canada, and South Korea, as well as the UN, the International Olympic Committee, and 12 US defense contractors were among those hacked in a five-year hacking campaign dubbed “Operation Shady RAT” by security firm McAfee, which revealed the attacks. Many of the penetrations were long-term, with 19 intrusions lasting more than a year, and five lasting more than two. Targets were found in 14 different countries, across North America, Europe, India, and East Asia.
The infiltration was discovered when McAfee came across a command-and-control server, used by the hackers for directing the remote administration tools—”RATs,” hence the name “Operation Shady RAT”—installed in the victim organizations, during the course of an invesigation of break-ins at defense contractors. The server was originally detected in 2009; McAfee began its analysis of the server in March this year. On the machine the company found extensive logs of the attacks that had been performed. Seventy-two organizations were positively identified from this information; the company warns that there were likely other victims, but there was not sufficient information to determine what they were.
The attacks themselves used spear-phishing techniques that are by now standard. Apparently legitimate e-mails with attachments are sent to organization employees, and those attachments contain exploit code that compromise the employee’s system. These exploits are typically zero-day attacks. With a PC now compromised, the hackers can install RAT software on the victim PCs, to allow long-term monitoring, collection of credentials, network probing, and data exfiltration.