TL;DR: Zong’s servers are compromised and are randomly serving ads to it’s internet customers. Read on!
I am addicted to Zong’s high speed internet and don’t plan on going back to PTCL again. But that doesn’t mean Zong is perfect.
For sometime now, whenever I visit a website that is not on https, I am randomly redirected to some ad and a cycle of redirections start. Here is an example:
I came to know that I am not alone. Here is one thread in a Facebook group:
It looks like a Zong specific problem. Let’s dig in.
I started looking at the page source of infected websites and quickly discovered that someone was replacing Google Analytics script with their own. This only works when the script is loaded over http. A Man-in-the-middle attack.
Here is how google analytics is usually added in the site:
But if that script is bad, it’s a disaster:
It’s not hard to guess that this attack is happening somewhere inside the Zong empire. Since Zong has previously been injecting a toolbar too.
Notice the Server in response headers. I don’t think Google would ever use Microsoft-IIS to serve their analytics code:
After a few traceroutes It’s pretty clear that this is not DNS cache poisoning and is infact a page-rewrite attack. Also, Zong is not doing this intentionally. Someone has either hacked their servers or an employee has acted on their own.
So let’s find out who owns these ads.
Notice the above code, the analytics.js script further loads another script (either a.js or b.js based on what type of device you are using). Here is a snippet from b.js:
Line 1 is what causes all those frustrating redirects. The page redirects to geo-tv.us domain which further redirects to ads.
Here is a WHOIS snapshot of that domain:
At this point, I would like to say that my aim is not to put a blame on this domain’s owner. But he is probably getting loads of traffic to his website and I don’t think he wouldn’t have noticed that.
The bad news is, there is no fix for this! Only and only Zong can put an end to this and frankly their customer service staff is complete dumb in this regard.
Here is a mirror of all scripts discussed above.
Thanks