Thursday, September 13, 2018

TM Redirects Users To Advertisement Page When They Visit Non-Existent Websites


It has come to our attention that users that are browsing the Internet through TM’s network could be directed to a TM hosted page when they try to visit a non-existent website. While we were only notified about it earlier today, it has apparently been in place for the past few years.


In general, what happens is that users would be presented with a customized 404 not found page if they visited a website that doesn’t have a valid DNS entry. This particular website which apparently belongs to Yellow Pages Malaysia, itself a subsidiary of TM, would notify users that their web page could not be found alongside an advertisement banner.
The web page also contains a search box that links directly to Yellow Pages Malaysia’s website. Here is the difference between the rerouted page and standard error message for unresolved web address (also known as NXDOMAIN response) on Chrome:

Based on our experiment via unifi’s network, the rerouting will be triggered if users are using TM’s DNS settings. Once we switched to Google DNS (both IPv4 and IPV6), we would then receive the standard NXDOMAIN error message on Chrome instead of ending up on the advertisement webpage.
As mentioned earilier, this is nothing new and has been going on for the past few years. Local tech and security expert, Keith Rozario has actually mentioned this on his blog back in 2014 and has also pointed out several posts on Lowyat.NET Forums that mentioned similar cases in 2013.
Additionally, we have also noticed a blog that was created in 2016 which focused on advertisers that appear through TM. However, it seemed that the blog author only tracked them for two months.
While the means to do this isn’t exactly new, there is a pressing need to question the necessity of this feature, as well as its potential for abuse. For example, the link in the screenshot above is pointing to http://test.maybank2u.com.my, but its actually being served from a TM controlled server. This could easily be http://xyz.maybank2u.com.my or some other site which will still resolve to TM’s advertisement page.
From a more commercial standpoint, it is rather disappointing to see TM has decided to implement this as if the monthly Internet fee that consumers in Malaysia have to pay is not enough for the company that it sees a need to serve advertisements via unresolved DNS entries to its customers. Not to mention, it is being done without the users’ knowledge for such a long time.

A little more digging

After posting up this article, we decided to dig further into the technical details as well as the security implications of these ads appearing on almost every TM connected device.
The entire system itself doesn’t seem to belong to Telekom Malaysia or any of its subsidiaries. It belongs to a little known company by the name of Nervesis Sdn Bhd. The platform is called Midas, and from the description available on the website, seems to be a very specific system designed to run on TM’s network.
The page itself doubles up as an advertising page for potential clients, claiming to sell clicks as low as RM0.42 with the potential to reach ‘millions of Telekom Malaysia Subscribers’. It is safe to assume that the advertising via the Midas platform is controlled not by Telekom Malaysia, but by Nervesis Sdn Bhd.
The next obvious question we have to ask is, are TM customers aware of this arrangement, and was proper consent provided by TM customers to be directed to a 3rd party controlled site whenever a wrong or non-existent url is keyed into a browser.
Consent aside, security is the next key issue that we need to look at. From our checks, users are directed to a page, that is hosted on a server which we strongly believe is not hosted or controlled by Telekom Malaysia. This particular server, which also resolves domains like gaban.tk, 005tc.com and  002tc.com, we believe is a local nginx proxy which then pulls out an iframe, from Nervesis’ own CDN servers which are hosted in the United States. This iframe then pulls out another script from another 3rd party website at smartadserver.com. None of these servers provide any kind of encryption for the communications between them.
Now here comes the kicker. The page that is being served to a user when they accidentally type in a wrong url clocks in at over 500KB. The default chrome NXDOMAIN page will display a not found error without consuming any data.
How many times have you seen the TM 404 page not found today?

No comments:

Post a Comment

Quest VR Headsets To No Longer Require A Facebook Account For Login

Meta has recently announced that a Facebook account is no longer needed for Quest VR headset logins. Instead, owners are now required to cre...