Rostelecom, the largest broadband operator in the Russian Federation, serving about 13 million subscribers, without too much publicity a system for substituting your advertising banners into subscribers' unencrypted HTTP traffic. Since the JavaScript blocks inserted into the transit traffic included obfuscated code and access to dubious sites not affiliated with Rostelecom (p.analytic.press, d.d1tracker.ru, dmd.digitaltarget.ru), at first there was a suspicion that the provider’s equipment had been compromised and the introduction of malicious Software in the home router. But after sending the claim, representatives of Rostelecom pointed out that the substitution of advertising is carried out as part of the service for displaying banner advertising to subscribers, which has been operating since February 10.
Advertising is shown through the mail.ru banner network, and movements are tracked through d1tracker.ru (the handler is hosted in the Amazon cloud). The code also includes calls to the analytic.press domain, which was registered at the end of December.
As a rule, either full-screen advertising is displayed, covering the entire content of the page, or a banner is added to the top of the pages. In most cases, the placed blocks look like the placement of annoying ads by the sites themselves, and the subscriber does not realize that in fact the ad is substituted by the provider. All kinds of services of third-party companies (not related to Rostelecom) are advertised, up to the sale of flashlights.
An example of inline code can be found in . Part of the code is obfuscated and loaded dynamically, so without a detailed analysis it is difficult to judge whether they are only inserting ads or performing some other actions on the side of the client browser.
Through the regular interfaces of the personal account, it is not possible to disable the substitution of advertising, but after writing a claim for , Rostelecom employees disable advertising substitution for specific subscribers. The question is whether spoofing only unencrypted HTTP traffic or the company also and in HTTPS traffic through the substitution of certificates remained unanswered. The company's website does not contain information about the beginning of the modification of the transit traffic of customers.
Source: opennet.ru