Website-Targeted False Content Injection by Network Operators
This work exposes a widespread security and privacy threat for all Internet users by identifying content injection by core operators, which is more impactful than previous edge-focused studies.
The study reveals that core network operators, not just edge ISPs, inject false content into users' traffic, affecting all Internet users visiting predetermined websites, with analysis showing this practice primarily aims to increase revenue through ad insertion but also includes malicious content.
It is known that some network operators inject false content into users' network traffic. Yet all previous works that investigate this practice focus on edge ISPs (Internet Service Providers), namely, those that provide Internet access to end users. Edge ISPs that inject false content affect their customers only. However, in this work we show that not only edge ISPs may inject false content, but also core network operators. These operators can potentially alter the traffic of \emph{all} Internet users who visit predetermined websites. We expose this practice by inspecting a large amount of traffic originating from several networks. Our study is based on the observation that the forged traffic is injected in an out-of-band manner: the network operators do not update the network packets in-path, but rather send the forged packets \emph{without} dropping the legitimate ones. This creates a race between the forged and the legitimate packets as they arrive to the end user. This race can be identified and analyzed. Our analysis shows that the main purpose of content injection is to increase the network operators' revenue by inserting advertisements to websites. Nonetheless, surprisingly, we have also observed numerous cases of injected malicious content. We publish representative samples of the injections to facilitate continued analysis of this practice by the security community.