ISP Injects Ads into Paying Subscribers’ Web Content
Customers of a small cable operator in the southern United States recently noticed banner ads appearing at the bottom of popular websites such as Bing, Target, eBay, and Amazon, which normally don’t place ads there. After some detective work, two clients concluded the Internet service provider was injecting the ads into the sites through JavaScript from an outside company.
Robert Silvie and Zack Henkel noticed the suspicious ads while each was using CMA Communications, which provides Internet, TV and phone services to rural areas of Mississippi, Louisiana, Texas, and Nevada. In addition to the ads appearing on sites that typically had none, they also sometimes replaced existing ads on webpages.
Henkel, a computer science Ph.D. student, was browsing the Apple Store site when he saw an H&R Block banner ad at the bottom of the page. He describes in a post on his blog what he saw when he visited Apple.com:
At the bottom of the carefully designed white and grey webpage, appeared a bright neon green banner advertisement proclaiming: 'File For Free Online, H&R Block.' I quickly deduced that either Apple had entered in to the worst cross-promotional deal ever, or my computer was infected with some type of malware. Unfortunately, I would soon discover there was a third possibility, something much worse.
To make sure the issue wasn’t with his MacBook Pro, Henkel went to the site from his Android-running phone and other devices. The ad showed up on each of them. He turned off the Wi-Fi on his phone, and the ads disappeared. He determined that if it wasn’t some kind of pop-up malware and the ads didn’t show up when using a cellular network, it must have been the ISP.
"I pulled up the Web inspector in Chrome and examined the source of a page which had the ad," Henkel wrote. "Appended to the very end of the HTML file for the webpage was a single line which called to r66t.com for a JavaScript file."
Henkel called CMA tech support and filed a complaint with the Federal Communications Commission. After unhelpful responses, he posted to reddit to let people know about his findings.
According to the Ars Technica article that investigated the situation, neither R66T nor CMA Communications has responded to reporters’ questions about a partnership.
Advertisers and ISPs have worked together to plaster ads over website content in the past, with the same outraged results from subscribers. In 2011, cable operator Mediacom Communications used deep packet inspection and JavaScript injection technology to similarly insert ads into sites. The practice causes security concerns for users who expect their webpage requests to be routed straight to the websites they are trying to reach, rather than being vulnerable to code injected by a third party along the way.
