I found out how to attack ads and pornography on the web by exploiting Google Analytics

BySean MacEntee

Abusing bugs in routers that are also used in many families, a method of delivering advertisements and pornographic contents, which are not supposed to be originally disclosed, has been revealed. The content of exploit methodDNS ChangerIllegally rewrites the DNS settings cached in the router using malware called so that it is used in the pageGoogle AnalyticsIt is a mechanism to take over the tag of.

Ara Labs | Ad-Fraud Malware Hijacks Router DNS - Injects Ads Via Google Analytics
http://aralabs.com/blog/2015/03/25/ad-fraud-malware-hijacks-router-dns-injects-ads-via-google-analytics/

We have elucidated this mechanism by providing Internet security solutionsAra Labs. An example is shown in the movie below, to see what kind of effect actually appears.

Ads Injected Via Hijacked Router DNS on Vimeo


Enter the address in Google Chrome URL field. In the case of this demonstrationThe VergeYour URL has been filled in.


Soon after the The Verge site was displayed, banner advertisements that should not be originally displayed at the bottom of the screen ......


An advertisement that could be turned over with "Perry" and mouse-on was displayed. This is also not displayed in the original The Verge.


next,The Huffington PostEnter the site of.


In the same way, a banner of online games that should not exist is displayed.


Finally,New York TimesShow the site of.


An advertisement of a pornographic site which should not be originally displayed at the lower left of the screen was displayed.


At first glance, each site seems to have been hacked and incorrectly inserted, but in fact there are no problems on each site itself, the real cause is one that exploits the Google Analytics tag embedded in the site It is proved to be.

◆ Advertisements that exploit the mechanism of Google Analytics · How to send pornography
Offered by GoogleGoogle AnalyticsIs now being used by so many sites for its advanced site traffic analysis function. When using it, the page administrator can use the Google Analytics tag in the source codeSet up web tracking codeTo do.


When the viewer opens the page where this code is set, Javascript for recording the action concerning page browsing is loaded by the tag of Google Analytics, and it is the mechanism that data is recorded, but at this time By improperly rewriting the information of the referring server, it is skipped to an ad server etc. which should not be referred to originally, and illegal advertisement is displayed instead of Google Analytics.

Illustrate its operation as follows.(1)When the viewer opens the page, the browser specifies the URL of the Google Analytics server and requests the necessary file,(2)The specified URL is converted to the IP address based on the DNS setting stored in the router etc. If the DNS setting of the router is rewritten at this time, the IP of a malicious third party The address is returned to the browser.(3)The browser that got the required IP address unquestionably accesses the server using the specified IP. Here, advertisement and pornographic content which should not be originally returned to the viewer, and it is displayed in the page.


It seems as if each site seems to have been hacked, but the actual problem exists in the router whose DNS configuration has been rewritten. The problem of rewriting the DNS setting by breaking the security hole of the router has been pointed out from the past, but the mechanism of this time was misused the bug. The reason for misusing Google Analytics is simply "It's adopted in a wide range of sites".

◆ How do I solve the problem?
As mentioned above, the cause related to this matter is where the DNS setting of the router is rewritten, so in many cases it is possible to avoid it by removing the bug. By firmly updating the firmware of routers distributed by manufacturers, it is likely to avoid the risk of getting involved in unnecessary problems.

Also, from the perspective of the advertisement provider, there is also a problem that advertisements are displayed in a form not supposed to be originally expected, but there are currently no drastic solutions for this. In Ara Labs who published the results of this analysisContact pointWe are planning to ride a consultation.