BSNL Adware injecting malicious advertisements to its users
BSNL, India's most used ISP has been the victim of an adware injection attack, where all its users are being affected adversely.
I was working from home from the past week, and I noticed a strange thing in my internet surfing. Often, I got redirected to aliexpress.com. It was weird since I wasn’t on any torrent site or shady site for that matter. It occurred intermittently, and I thought it was a browser extension Issue. I checked the same thing from my personal computer, and It was reproducible intermittently. I live in India, and I consume Bharat Sanchar Nigam Limited(BSNL) as my ISP. I use Gnu/Linux as my daily driver for work and personal use. I don’t think it was a virus/ malware in my PC. I reinstalled all the browsers in my work machine and personal computer; tried to reproduce the issue. Again a few sites redirected me to Aliexpress. One particular time, I was shocked to see an overlay/pop-up of BSNL Banner.
I looked into the origin of the banner, it is pointing to BSNL IP in Karnataka, India. I tried to reproduce the same issue, and it turns out the redirect to Aliexpress, and similar cases occur because of a JS malware originating from an IP which belongs to BSNL. I was spooked and ran a search across the Internet. This issue is prevailing for a year.
Let’s look at the issues, BSNL overlay banner and script Injection. BSNL has been redirecting its user to mail.bsnl.in for a long time. I ignored this since it was a publicly funded organisation and it was losing revenue. The redirection points to BSNL site, so it was not a significant issue.
One reddit User has been complaining about this for a long time his comment:
“I gave a complaint to a local exchange, district customer care, Public Grievance cell, and to whomever at the ministry of telecommunications whose email ids I managed to get from the ministry’s website. I did like 5–6 times explaining one way or other what exactly is the problem. Every Time, they replied like what mail, redirection only happens when session restarts etc. etc. Finally, when someone at Bangalore understood what was the problem, I got a reply that it was a policy decision made by the board and they can’t do nothing”
The redirection to AliExpress. It is an obfuscated JS script originating from 117.254.84.212 The redirection takes place via mixedhopeful.com and the site is famous for it’s malware(adware). The issue persists across several states in India, and I don’t think it is an issue with DNS as most users suggest. Either BSNL ad injection program sucks, or their server is messed up. Another Blogger profoundly wrote in his blog about the same issue.
Steps to reproduce:
1) Use BSNL ISP — Broadband
2) Visit any unsecured Site(HTTP only)
3) Click on a few tabs, and you will end up in Aliexpress(for now)
Here is a couple of links on the issue.
Reddit 1, Reddit 2 and broadband_forum
I am writing about this again to reach a wider audience. As a consumer, I could terminate my connection with BSNL or take some precaution.
For now, I am using Firefox with following plugins installed: ADblocker and HTTPSeverywhere which sort of helps. This problem needs a permanent solution as soon as possible.