They thought they were downloading Skype. Instead they got spyware

CBC

Updated March 9, 2018 at 12:01 a.m.

To censor the internet, 10 countries use Canadian filtering technology, researchers say

Since last fall, Turkish internet users attempting to download one of a handful of popular apps may have been the unwitting targets of a wide-reaching computer surveillance campaign.

And in Egypt, users across the country have, seemingly at random, had their browsing activity mysteriously redirected to online money-making schemes.

Internet filtering equipment sold by technology company Sandvine — founded in Waterloo, Ont. — is believed to have played a significant part in both.

That's according to new research from the University of Toronto's Citizen Lab, which has examined misuse of similar equipment from other companies in the past. The researchers say it's likely that Sandvine devices are not only being used to block the websites of news, political and human rights organizations, but are also surreptitiously redirecting users toward spyware and unwanted ads.

Using network-filtering devices to sneak spyware onto targets' computers "has long been the stuff of legends" according to the report — a practice previously documented in leaked NSA documents and spyware company brochures, the researchers say, but never before publicly observed.

"When you have this middlebox which is capable of filtering and modifying people's internet traffic, pretty much the sky's the limit in terms of what you can do," said Bill Marczak, one of the authors of the report.

'Dual-use' technologies

The report is a stark reminder of how internet filtering equipment designed for legitimate uses — such as managing network capacity — can also be abused.

The governments of Both Turkey and Egypt have for years used internet-filtering technology to monitor activity, crack down on dissent, and restrict free expression online. Such devices are currently exempt from internationally agreed upon export control laws governing "dual-use" technologies.

A spokesperson for Global Affairs Canada said the government was "concerned by allegations of the misuse of Canadian-made technology, including reports of its use in inappropriately preventing free access to the internet."

Elizabeth Reid said in a statement the government would "continue to engage with our partners on the review of this type of technology."

In January, the government established a new ombud role to "investigate allegations of human rights abuses linked to Canadian corporate activity abroad."

Waterloo, Ont.-based Sandvine was purchased by U.S. private equity firm Francisco Partners last year and merged with another computer networking company, Palo Alto, Calif.-based Procera. The resulting company operates under the Sandvine name.

In a statement, Francisco Partners said its companies are mandated to "operate in accordance with applicable law and strict ethics policies and practices, which include the protection of human rights," and has asked Sandvine to investigate.

Company vows to 'take appropriate action'

In a statement, Sandvine did not directly address Citizen Lab's findings, saying it had not been given a chance to review the full report.

Citizen Lab director Ron Deibert says providing the full report to Sandvine in advance would infringe upon Citizen Lab's rights to both academic and free expression.

"The technical details we provided are sufficient for Sandvine to investigate and respond," Deibert said in a statement.

He says Sandvine has threatened Citizen Lab with legal action.

Sandvine said it had started a preliminary investigation, and would "either validate or refute the Citizen Lab's claims and take appropriate action in accordance with our business ethics policies" once it had sufficient data and a copy of the full report.

The company says it employs "strong safeguards to ensure adherence to our principles of social responsibility, human rights and privacy rights," and has an ethics committee that reviews potential sales for risk of misuse.

Users redirected to spyware downloads

Citizen Lab researchers believe that the company is nonetheless enabling surveillance to take place in Turkey.

They say Sandvine's PacketLogic filtering technology operated by Turk Telecom was, until recently, configured to silently redirect users toward downloads infected with spyware — a technique known as a man-in-the-middle (MITM) attack.

In this configuration, the Sandvine filter inspected traffic that passed through it, looking for attempts to download popular apps like VLC media player, Avast Antivirus and unofficial distributions of Skype.

If such a request came from one of 259 targeted IP addresses identified by Citizen Lab, the request would be redirected to a malicious copy — without the user knowing. If installed, the user would have been silently infected with spyware.

But there is a catch: the connections had to be unencrypted for the filter to see them taking place. For this reason, many websites now serve content, including file downloads, over encrypted connections, to thwart MITM attacks.

Citizen Lab's researchers observed this behaviour in five Turkish provinces. However, it's difficult for the researchers to say how many users may have been targeted, or who the intended targets were — in part, because many users could be sharing the same IP address.

The injection of spyware briefly ceased in mid-February, only to resume this week, Marczak said.

Users sent to marketing sites

In Egypt, the researchers observed legitimate network traffic being redirected in a different way — not toward malicious files but to affiliate marketing websites, and to websites configured to mine cryptocurrency in visitors' web browsers.

They call this type of activity AdHose. It appears designed to make its operators money covertly, but who is behind it remains unclear.

Citizen Lab observed AdHose operating in one of two ways. In so-called spray mode, all users are indiscriminately redirected when their web traffic passes through the filter for a short period of time. In trickle mode, only visitors to certain sites are redirected. Previous findings suggest this practice has been in place since at least August 2016.

Sandvine's equipment is believed to be located very near, if not at, one of Egypt's four submarine cable landing sites, operated by Telecom Egypt, where all internet traffic enters and exits the country.

Findings 'inaccurate': Sandvine

It's not clear whether Sandvine employees working in Turkey or Egypt helped configure the devices, or were aware they had been configured to behave as documented by Citizen Lab.

To further back up their findings, the researchers acquired their own PacketLogic filtering device secondhand, and compared the behaviour of their device to the traffic patterns observed in Turkey and Egypt.

They say it is possible that someone could have copied the PacketLogic design and code to exhibit the same behaviour, or that the devices could rely on publicly available code that is also used by others, but that this is unlikely based on the code's distinct design.

Sandvine disputed Citizen Lab's findings, calling them "technically inaccurate and intentionally misleading," without going into specifics.

"There are many products on a network that are capable of redirecting network traffic," the company said, describing the feature as "technology that is commonly included in many types of technology products."

The Turkish and Egyptian embassies in Ottawa did not respond to a request for comment.

HuffPost
Trump Throws Absolute Fit In Late-Night Rant For The Strangest Possible Reason
The former president delivered a scathing response to a critic who just endorsed him.
3 hours ago
BANG Showbiz
Megan Thee Stallion being sued for ‘forcing cameraman watch her having lesbian sex!’
In a suit being brought by her ex-cameraman, Megan Thee Stallion is being sued for allegedly creating a hostile work environment and forcing her former videographer to watch her having lesbian sex.
a day ago
People
“Call Her Daddy'”s Alex Cooper Models Her Wedding Night Lingerie in Instagram Reveal: See the Racy Look
Cooper wore a sexy lacy bodysuit from SKIMS' Wedding Shop collection after marrying Matt Kaplan in Mexico
12 hours ago
Yahoo Canada Style
Sophie Grégoire Trudeau is leaning into the unknown for her next chapter: 'I'm OK with the uncertainty'
No question was off limits in Yahoo Canada's candid and emotional conversation with the "Closer Together" author.
2 days ago
Sacramento Bee
Ex-teacher had sex with her student on his 8th-grade graduation, California prosecutors say
The former Butte County teacher pleaded no contest Monday to the charges.
19 hours ago
People
Ex-Aide Says Melania Trump Will Be Watching 'Every Ounce' of Hush Money Trial — and Looking for 1 Thing
Stephanie Grisham, who served as chief of staff and press secretary to Melania, offered a window into her former boss's thinking as Donald's alleged affairs take center stage in the Manhattan trial
2 days ago
ABC News
'So appalled': What witnesses told special counsel about Trump's handling of classified info while still president
In the summer of 2019, only hours after an Iranian rocket accidentally exploded at one of Iran's own launch sites, senior U.S. officials met with then-president Donald Trump and shared a sharply detailed, highly classified image of the blast's catastrophic aftermath. Worried that the image becoming public could hurt national security efforts, intelligence officials urged Trump to hold off until more knowledgeable experts were able to weigh in, the sources said.
14 hours ago
The Daily Beast
Trump Picks Another Fight With Judge as He Waits for Contempt Ruling
PoolDonald Trump just can’t help himself.Moments after a contentious hearing about whether Trump should be held in contempt for violating his narrowly worded gag order, the former president took to his favorite social media platform to trash the judge who holds his fate. “HIGHLY CONFLICTED, TO PUT IT MILDLY, JUDGE JUAN MERCHAN, HAS TAKEN AWAY MY CONSTITUTIONAL RIGHT TO FREE SPEECH. EVERYBODY IS ALLOWED TO TALK AND LIE ABOUT ME, BUT I AM NOT ALLOWED TO DEFEND MYSELF,” Trump wrote on Truth Social
2 days ago
INSIDER
Where Reena Virk's killers are now almost 30 years on from her murder that inspired 'Under the Bridge'
Hulu's "Under the Bridge" tells the story of the 1997 murder of Canadian teen Reena Virk. Here's where her killers, Warren Glowatski and Kelly Ellard, are now.
a day ago
HuffPost
Donald Trump Will Hate What Mitt Romney Just Said About The Hush Money Trial
"So far as I know, you don't pay someone $130,000 not to have sex with you," the Utah senator remarked about the ex-president's payments to Stormy Daniels.
2 days ago
INSIDER
I tried Gordon Ramsay's favorite 10-minute pasta and now I know why he makes it every week
Gordon Ramsay swears by this easy 10-minute pasta dish, which he said has become a "regular midweek family meal" in his house.
13 hours ago
People
Kourtney Kardashian's Sexy Bikini Photo from Her 45th Birthday Leaves Husband Travis Barker Melting
Kardashian enjoyed a vacation in paradise with her husband and four kids in honor of "45 trips around the sun"
2 days ago
People
'My Drink Tasted Funny': Pregnant Woman's Last Words Revealed After Alleged Fatal Poisoning by Boyfriend
Jade Benning died on her 25th birthday on March 6 after she was rushed to the hospital the week before
2 days ago
The Daily Beast
How Putin’s Whirlwind Bromance Could End in a Kremlin Tragedy
Sputnik/Alexei Nikolsky/Kremlin via ReutersThe Kremlin is reportedly scrambling to find a successor to Ramzan Kadyrov following reports that the Chechen leader has been diagnosed with necrotizing pancreatitis, a terminal illness, according to Russian media reports.Kadyrov, also known as “Putin's attack dog” or “Putin’s soldier” for his loyalty to Russian President Vladimir Putin, has visited Moscow Central Clinical Hospital regularly through the years to undergo procedures. He was allegedly diag
2 days ago
Hello!
Prince Louis' birthday photos all have this in common – did you notice?
Prince William and Princess Kate's son, Louis, celebrated his sixth birthday with a new photo - and Kate Middleton has a habit of including the same detail in the annual portrait
a day ago
People
Florida Man Runs Over 11-Foot Alligator with Truck to Save Neighbor from Attack
"We pulled over and I got out of the car and saw that an alligator had him by the leg," Walter Rudder recalled to a local news outlet about the scary incident
a day ago
People
Kim Kardashian Reveals the Viral SKIMS Nipple Bra Was Modeled After Her Own Breasts
The bra was first released in October 2023
2 days ago
HuffPost
'I Shouldn't Have Said That': Joe Biden Mocks 1 Of Trump's Most Cherished Traits
The president took aim at one of his predecessor's personal trademarks -- and the audience loved it.
6 hours ago
The Daily Beast
‘Big Scandal’ Behind Russian Deputy Defense Minister’s Arrest
Moscow City Court Press Office/Handout via Reuters Russia’s deputy defense minister was arrested Wednesday just hours after attending a meeting of top military brass, according to federal investigators. Timur Ivanov is officially charged with accepting a massive bribe—but some sources say that’s just for show.“The bribe–that’s for the public. So far they don’t want to talk publicly about treason, it’s a big scandal. After all, it’s the deputy minister of defense,” one unnamed source close to the
a day ago
People
Claudia Schiffer Shouts Out Kylie Jenner's Vintage Bikini — and Shares Glam Photo Wearing the Same One in the '90s
Schiffer modeled the Chanel bikini on the runway and in the fashion house's ads
16 hours ago

Latest Stories