Turkish ISP Swapped Downloads of Popular Software with Spyware-Infected Apps

[LASER_oneXM]

Türk Telekom, a Turkish Internet Service Provider (ISP), has deployed special hardware to intercept and alter Internet traffic, swapping legitimate software downloads with similar applications, but infected with spyware.


A Citizen Lab report claims that Türk Telekom has deployed Sandvine PacketLogic middleboxes in five regions across the country. These devices are powerful traffic interception machines that can allow the ISP to spy on unencrypted traffic, and even alter its content by injecting additional code.

Middleboxes used as malware delivery system

According to the report, the devices deployed on the network of this ISP have been used as a malware delivery system.


Researchers spotted the middleboxes redirecting users attempting to download software from official websites to pages offering the same software but injected with the FinFisher spyware. In later cases, researchers say the payload switched from FinFisher to another spyware strain named StrongPity.

Citizen Lab says it identified such redirects when users tried to download the Avast Antivirus, CCleaner, VLC, Opera, and 7-Zip from their official websites.


Additionally, the ISP also tainted some software downloads hosted on CNET's Download.com platform in a similar manner, offering the spyware-infected version instead of the legitimate app.

These download switcheroos didn't happen for everyone. Citizen Lab says it identified 259 IP addresses for which the middleboxes replaced downloaded software. Some IPs belonged for users located in Syria, where some Türk Telekom subscribers provided Internet access via cross-border directional Wi-Fi links.

Government involvement highly probable

But researchers don't believe this is the work of a rogue employee. This is because the same ISP middleboxes have been used to censor access to various political domains —such as the website of the Kurdistan Workers’ Party (PKK), Wikipedia, and the website of the Dutch Broadcast Foundation (NOS).

Furthermore, FinFisher isn't your regular run-of-the-mill malware. This is a very expensive "lawful intercept" product sold only to government agencies by the eponymous FinFisher company, a provider of government-grade surveillance technology.

The censorship of political domains and the deployment of spyware made available only to law enforcement suggests a heavy involvement of the Turkish government into the traffic interception scheme.

It is unclear if the government was going after dissidents or was cracking down on Syrian Kurdish troops, against which Turkish forces are engaged in military campaigns.

A wealth of additional details can be found in Citizen Lab's much detailed report on these two campaigns.

 

[Flengo]

This is why practically everyone should use a VPN while doing practically anything online. People should never trust their ISP, especially if you're in a country that is known for doing things like this often.

 

[codswollip]

This is why practically everyone should use a VPN while doing practically anything online. People should never trust their ISP, especially if you're in a country that is known for doing things like this often.

Why should I trust the VPN exit? Swapping one government for another... how can that be reliable?

 

[mekelek]

Why should I trust the VPN exit? Swapping one government for another... how can that be reliable?

the VPN provider is there to make money
your goverment is there to spy on you

VPN provider has no motives to do the things your ISP/goverment does, choose a VPN provider with a good track record.

 

[Flengo]

Why should I trust the VPN exit? Swapping one government for another... how can that be reliable?

ISPs don't give any guarantee of privacy whatsoever - especially with news like the one in the OP coming out often - while there are a fair few VPNs that have proven themselves to be fairly trustworthy in terms of privacy.

Trust needs to be given to someone, I'd rather trust people whose business model is giving people privacy than those who do whatever they want with your traffic and are legally obligated to keep your internet history for a certain amount of time.

If a VPN that has built their business model on privacy is found out to be not respecting peoples' privacy, they'll lose their entire business (or at least most of it), so it's in their best interest to keep their promise to the customers.

 

[Arequire]

Why should I trust the VPN exit? Swapping one government for another... how can that be reliable?

It's reliable because they're living in a repressive regime that regularly jails and tortures innocent people under false pretence and who's ISPs are essentially under state control. A VPN provider situated a non-hostile country is a much better alternative than your online activity going directly to said repressive government (assuming the use of anonymization software won't result in your imprisonment).

 

[Arequire]

If a VPN that has built their business model on privacy is found out to be not respecting peoples' privacy, they'll lose their entire business (or at least most of it), so it's in their best interest to keep their promise to the customers.

Have to say I can't agree with this. HideMyAss and PureVPN have both handed over user data to the authorities (which resulted in arrests and charges being brought in both cases) and they're still in business. Fact is that most people will never hear about them handing over user data regardless of whether they're using their VPN service or not.

Don't get me wrong, I do believe VPNs have a place. I throw mine on whenever I'm visiting sites I don't won't my ISP to have a record of, but those sites won't attract the attention of the authorities and I fully understand that my VPN provider can see everything I'm doing while using their service, and even though they say they don't log user activity I can't fully believe that until I've seen evidence proving otherwise.

 

[mekelek]

Have to say I can't agree with this. HideMyAss and PureVPN have both handed over user data to the authorities (which resulted in arrests and charges being brought in both cases) and they're still in business. Fact is that most people will never hear about them handing over user data regardless of whether they're using their VPN service or not.

and this is why you don't just believe whatever bullcrap they state on their website, but look it up properly.
just like how every single antivirus suite claims 100% protection.

 

[Deleted member 65228]

the VPN provider is there to make money
your goverment is there to spy on you

Actually, I think you'll find that most VPNs probably will keep logs even if they claim they don't and share intelligence with authorities/government when enforced for them to do so. In fact, Avast are open about their VPN service and state that by law they have to co-operate with data sharing if enforced on their policies which can be read straight from their website.

As well as this, governments are known for using genuine services to infiltrate on people for surveillance. If you think that using a VPN is going to stop tracking properly then you're more inclined to use one, and thus may expose more whilst using a VPN than when not using a VPN -> perfect for surveillance. A government agency could always just breach a VPN provider a high priority target is using with no sweat.

A VPN is only useful for stopping an attacker (general) from stealing your IP address which could expose your identity/location data and be used to attack your network (e.g. DDoS attacks, port scanning, etc.). However, your identity can be exposed through a number of techniques regardless. A VPN can also be useful if your network is being sniffed without you knowing, good for using a public and open network. Government agency? Nope.

 

[ForgottenSeer 58943]

This is why practically everyone should use a VPN while doing practically anything online. People should never trust their ISP, especially if you're in a country that is known for doing things like this often.

ISP's in the USA have been doing similar things for decades - or even longer.

Take the curious case of NebuAD, a CIA front company masking themselves as an advertising revenue booster for ISPs. NebuAD was sort of like PHORM. It uses hardware installed at the ISP to inject into packets and perform redirections. It also infected browsers with exploit kits. This went on for quite some time without any regard for customers and their privacy. Another one was Paxfire, yet again an intelligence funded organization out of Reston Virginia posing as an ad-revenue firm which utilized NX redirects on mis-typed URL's from ISP customers, redirecting to Paxfire servers for injection. Then we can't forget Room 641A fiber taps on all AT&T customers.

Don't kid yourself, almost ALL ISP's in the USA continue to do this stuff. Almost all phone providers do it. If you trust your ISP I commend you. I've been a DOCSIS Engineer Advisor for a couple ISP's, and know full well not to trust them. Unfortunately there is no real answer to the problem other than our regulators getting some guts and putting privacy first for Americans.

A VPN can help, but a VPN isn't always speedy or practical and a VPN can open you up for more surveillance or MiTM activities. It's also pretty well known many VPN's are honeypots, like WiTopia which didn't properly mask their office location as being in the same office as a CIA field off. My advice, rather than attempting mask all of your traffic work on securing your private items with cascaded encryption. Trying to secure and obfuscate ALL of the traffic leaving your home is almost futile in this day and age.

 

[mekelek]

Actually, I think you'll find that most VPNs probably will keep logs even if they claim they don't and share intelligence with authorities/government when enforced for them to do so. In fact, Avast are open about their VPN service and state that by law they have to co-operate with data sharing if enforced on their policies which can be read straight from their website.

As well as this, governments are known for using genuine services to infiltrate on people for surveillance. If you think that using a VPN is going to stop tracking properly then you're more inclined to use one, and thus may expose more whilst using a VPN than when not using a VPN -> perfect for surveillance. A government agency could always just breach a VPN provider a high priority target is using with no sweat.

A VPN is only useful for stopping an attacker (general) from stealing your IP address which could expose your identity/location data and be used to attack your network (e.g. DDoS attacks, port scanning, etc.). However, your identity can be exposed through a number of techniques regardless. A VPN can also be useful if your network is being sniffed without you knowing, good for using a public and open network. Government agency? Nope.

well this comes down to using VPN providers that are true to their words and/or already proven themselves.
like the PIA fiasco, or that for example OVPN is using ramdisks instead of hard drives to make sure logs aren't possible even on the physical level.

 

[Deleted member 65228]

well this comes down to using VPN providers that are true to their words and/or already proven themselves.

A government agency would hack them, subvert it and then clean-up and exit once the work is done. No one would find out for years or never. The US government was caught out for hacking phone provider networks a few years ago and the time of the operations was years before that as well.

Even if logs are not stored, data will temporarily be in memory. The government would simply be able to subvert it to auto-collect and filter the data.

I am also pretty sure that if the court ruled in the favor of the government, that the VPN provider can be forced to change their work and collect more data to provide a government with.

If Iraq hackers working for the government could breach Kaspersky and no one knew a thing until it all came out, a VPN provider likely has zero chance.

 

[mekelek]

A government agency would hack them, subvert it and then clean-up abd exit once the work is done. No one would find out for years or never. The US government was caught out for hacking phone provider networks a few years ago and the time of the operations was year before that as well.

I am also pretty sure that if the court ruled in the favor of the government, that the VPN provider can be forced to change their work and collect more data to provide a government with.

If Iraq hackers working for the government could breach Kaspersky and no one knew a thing until it all came out, a VPN provider likely has zero chance.

so just give up and submit to it? everything is possible, doesn't mean it has to happen to you.
your ISP is more likely going to do more harm than a potentially government infiltrated VPN provider, and unless you're doing something really nasty or really illegal, they won't reveal themselves.

 

[DeepWeb]

I prefer not using a VPN. Why? Because governments know that people who use VPNs have something to hide so they will have their data under even more scrutiny. In contrast, yes your ISP will report to the government if something is foul, but your ISP has many customers. If you behave like any other internet user, you will blend in. Besides we already are running the government's favorite spyware: Windows 10 and everyone downloaded it because it was free. Why would they bother trying anything more difficult? If you are under investigation, they just call your ISP, Microsoft, Google, Facebook and they'll already have 99% of all the information they need. If anything else is left, they just kick in your door and get your devices in person.

Notice that our government is not doing anything about VPNs. If VPNs were a real threat, they would have banned them already for national security reasons like they did Kaspersky. The fact that they don't tells you one BIG thing: They already found a way to ID people whether they use VPN or not (most likely hardware fingerprinting or identifying people by their browsing habits which is extremely reliable btw). Only thing VPN protects you from is DMCA notice and sometimes not even that...

The only way to stop the spying is forcing our legislators to change policy. That being said, if you live in Turkey, you're screwed anyway.

 

[Sunshine-boy]

your identity can be exposed through a number of techniques regardless.

Like what?can you pls tell me that? i wanna know

 

[Deleted member 65228]

so just give up and submit to it? everything is possible, doesn't mean it has to happen to you.
your ISP is more likely going to do more harm than a potentially government infiltrated VPN provider, and unless you're doing something really nasty or really illegal, they won't reveal themselves.

No, I'm not saying just hand over your data. I am saying that government agencies do things illegal all the time and will hack a VPN vendor like its eating chocolate cake.

My point is that people should be using VPN to prevent an ISP or general malicious attacker from logging their network traffic, and especially when out-and-about using a public Wi-Fi. If a general attacker cannot obtain your IP address, then you are safer against networking attacks such as Distributed Denial of Service attacks.

However, people hiding behind a VPN to perform malicious activities which would be large enough for a government to become interested in... it will end up in tears. Therefore, use a VPN but not so you can feel invincible and start doing whatever you want because that isn't how it works.

As for government agencies and surveilance, there's other better ways to prevent being tracked. This would include using environments with fake data setup on Windows (or better yet, use Linux) in-case Microsoft telemetry is being used to identify you, connecting to servers which are situated in foreign countries remotely and allowing them to handle operations, sending out random web request queries every hour from your network to cause genuine requests to be mixed up in thousands of random and meaningless search requests, storing personal and critical data on a machine which is not and never will be connected to the internet whilst maintaining encryption, etc. This is all theoretical though, I am not a surveilance expert who works for a government agency and probably never will be.

That was my point from the first post though regarding the VPN thing.

 

[Deleted member 65228]

Like what?can you pls tell me that? i wanna know

Social networking, browser finger-printing techniques (even characteristics such as the window size can be used for tracking), writing style, choice of avatars, surveilance on your friends who are likely less experienced with computing and thus more vulnerable.

Let's not forget social engineering for phishing and malicious software, and WebRTC leaks to bypass browser-based proxies if WebRTC isn't patched up. If the system becomes infected and the VPN is enforced at a software-level then a kill-switch can be applied silently.

Oh, user agent as well.

Even using a VPN, the same VPN server ID will show up unless the location is regularly changed so unless many people are doing what you are doing then that can be used to track your where-abouts as well, especially when you have hundreds or thousands of employees working actively on tracking you.

 

[CyberTech]

the VPN provider is there to make money
your goverment is there to spy on you

VPN provider has no motives to do the things your ISP/goverment does, choose a VPN provider with a good track record.

I wish i could use a VPN all the times its too bad my internet speed sucks lol

 

[Sunshine-boy]

Opcode thank you for your response<3 but there are VPNs that have secure network infrastructures(i always check the ISP(VPN) website for security things before connecting to that server)
Example:Your data security is our priority - OVH Canada
I meant it's not that easy for my government to hack every VPN server!maybe NSA can do that but not my government

 

[Deleted member 65228]

I meant it's not that easy for my government to hack every VPN server!maybe NSA can do that but not my government

Yeah, not every government... but some. As for OVH, I recon that a government agency could do it without a massive problem. They aren't invincible, no one else. If you have government resources then you have time, dedication, money, and very skilled researchers/hackers.