TM : ISP Error Page Ads (landing.netmyne.com)
If you are using TM streamyx and noticing whenever you mistype something in the address bar and your browser turns up with this address http://landing.netmyne.com/index.jsp?mode=search&nlia=error_keyword, Guess what! TM has added wildcard to its DNS caching servers to capture typo and forward to its error page, ads, internet keyword search site, landing.netmyne.com.
%dig wtf
; <<>> DiG 9.4.2-P1 <<>> wtf
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21728
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;wtf. IN A
;; ANSWER SECTION:
wtf. 0 IN A 203.106.203.238
;; Query time: 9 msec
;; SERVER: 202.188.0.133#53(202.188.0.133)
;; WHEN: Tue Sep 16 19:37:07 2008
;; MSG SIZE rcvd: 40
Instead of intercepting that Non-Existent Domain (NXDOMAIN) response, TM Nameservers send the IP address of Netmyne ad server as the answer. When the browser visits that page, the user sees a default search box from google and TM’s promotion ads on the right, hijacking user’s browser to show its cheap ad. It seems like TM is repeating Earthlink/Barefruit mistake.
Quoting from wired.com site, Security expert, Dan Kaminsky has demonstrated the vulnerability by inserting a YouTube video into Facebook and PayPal domains. But a black hat hacker could instead embed a password-stealing Trojan and allow hackers to pretend to be a logged-in user, or to send e-mails and add friends to a Facebook account.
This is nothing new! but TM is repeating others mistake and putting its subscribers at risk. BTW, I have added a nice tag line in the image for TM, All_your_base_belongs_to_us wannabie.
Tuesday, September 16th, 2008
