Unveiling the mystery of "traffic hijacking"丨Hijacking 50,000 IP traffic and earning at least 30,000 per month!

You clearly opened website A, but for unknown reasons you were redirected to website B; you clearly wanted to download software A, but after downloading and installing it, it turned out to be software B; when you opened an app, the pop-up ads were very confusing and annoying... Do you think your computer or phone is infected with a virus? wrong! Maybe you really blamed the virus because your Internet traffic may have been hijacked.

In the world of the Internet, traffic hijacking is nothing new. The so-called traffic hijacking refers to the use of certain technical means to control the user's online behavior, causing you to open web pages you don't want to open and see advertisements you don't want to see, all of which will bring a steady stream of income to the hijacker.

Although it has existed for a long time, in an environment where "users are sheep", traffic hijacking has always been "ineradicable". Who is hijacking the traffic? What does the “devil’s hand” behind traffic hijacking look like? An investigation by IT Times reporters found that in the Internet world, there is a huge gray industry chain behind traffic hijacking. With DNS hijacking alone, at least tens of millions of IP addresses are maliciously hijacked every day.

Download Xiaomi Store but it changes to UC Browser

Not long ago, an announcement released by Wuyun.com titled "A suspected vulnerability in an APK hijacking and promotion system based on operator traffic (up to millions of hijacking data statistics every day)" once again pushed "traffic hijacking" to the forefront.

The incident originated from the embarrassment of a friend of the white hat "Passerby A" of Wuyun.com when downloading the Xiaomi Store application. Whether it was on a mobile phone or PC, it would become UC Browser when downloaded locally. "Passerby A" then conducted a packet capture test and discovered a secret management system during the test.

In the vulnerability information provided to reporters by Wuyun.com, the process of how "passerby A" discovered the black hand behind the traffic hijacking was broken down in detail: first, the download link of UC Browser was discovered during the packet capture test. When the user made a request using the local operator's broadband, the returned link was tampered with.

"Passerby A" followed the clues and dug out an "installation and distribution platform". He discovered in the background database that a huge amount of data was hijacked from the system every day. The highest number of hijacks in one day reached 1.51 million, which is only the scale of a quasi-second-tier city.

"To put it simply, the address when downloading is a, and then the download link becomes address b. There is an encryption parameter at the end of address b, and after decryption it is address a, but what is downloaded is still the content in address b," a security expert from Wuyun.com explained to the IT Times reporter. This type of hijacking is very common, and the encrypted parameter at the end makes it even more confusing. "From the hijacker's perspective, it is also to mark that the app downloaded by the user was hijacked from address a. Then it will be easy to calculate how much traffic was brought in by hijacking address a."

"Traffic hijacking refers to the theft, spying, and control of online traffic. After receiving the user's traffic, it can also be analyzed to steal the user's privacy. The computer we use to surf the Internet is the client, and the target of the request is the server. From the time you make a request to the time you see the web page, the speed is very fast, but it has to go through network links and devices in the middle, and the points and devices on the links can be tampered with, and the traffic can be maliciously analyzed and stolen." Lu Lisheng, a member of the domestic security team Keen Team, told the "IT Times" reporter.

In Lu Lisheng's view, anyone who has access to network links and equipment can hijack traffic. There are two common ways of hijacking: one is DNS hijacking, where the user enters a domain name and is redirected to an IP address specified by the hacker; the other is link hijacking, where the page is replaced or many advertisements are inserted or used by hackers for DDOS attacks.

Journalist Investigation

Tens of millions of users are hijacked every day

Traffic price: 1,000 IPs

Maximum selling price: 70 yuan/day

"Banner clicks on PC cost 1.5 cents, patch clicks cost 1.2 cents and 1.8 cents, rich media in the lower right corner costs 2.2 yuan/1,000 impressions, couplets cost 2.1 yuan/1,000 impressions, pop-ups cost 5.5 yuan/1,000 impressions, and floating ads on mobile cost 2.5 yuan/1,000 impressions." In the "DNS hijacking mobile traffic" group of nearly a thousand people, news about high-priced traffic purchases was constantly updated every day, and it did not stop until late at night.

"We are all looking for channels here and collecting all kinds of traffic," Sun Ting (pseudonym), who had just sent out a wave of traffic collection information, told the IT Times reporter that most of the people shouting in the group were "buying traffic", but Sun Ting remained silent about where the traffic came from.

Traffic is valuable. The intermediary or traffic buyer who collects traffic calculates the fee on a daily basis based on the traffic (thousand IPs) brought in. The market price for thousand IPs is 35 to 70 yuan per day, and the price varies depending on the quality and quantity of users. For example, if a hacker hijacks 50,000 IP traffic every day and cooperates for 90 days, the price of one thousand IPs is 35 yuan. Then the traffic buyer should pay the hacker 157,500 yuan (50,000/1000×90×35), an average of 50,000 yuan per month.

In fact, those who sell traffic own far more than 50,000 IPs.

In these traffic collection groups, from time to time, there are teams that provide hijacking technology "looking around", and occasionally a message pops up, "We provide hijacking technology, those who are interested can chat privately."

After several twists and turns, the reporter finally got in touch with a company that provides traffic hijacking technology services. According to their customer service, they can help companies with traffic install the hijacking system. "Install the CentOS (Community Enterprise) operating system on your server, make split ports, and then provide us with the server IP," the staff member said. Their technicians will deploy the hijacking system and basically ensure that data can be fed back every day and revenue can be seen. "Even if the operator has source address verification, it can be done, but it is a little more complicated."

In order to cooperate with them, you must have at least 100,000 IPs that can hijack traffic. The revenue from hijacking traffic is "split 30% to 70%, with us taking 30%."

Who is selling traffic?

Who is selling traffic? Who is buying traffic again? How does this hijacked traffic flow? In the Internet world, a huge black industrial chain is looming.

According to Lv Lisheng, telecom operators, Internet companies, router manufacturers, and hackers may all be operators of traffic hijacking, and their purposes are nothing more than advertising revenue, commercial competition (increasing website click-through rates), and collecting user information.

There are three ways for traffic hijackers to sell traffic: hijacking the traffic directly to the buyer's website, which is called "direct cooperation" in the industry; the second is to hijack the traffic to their own website domain name, and then jump to the buyer's website, such as hijacking 2345.com to qjjxw.com, and then jumping to 5w.com, which is called "jump cooperation" in the industry; the last way is to hijack the traffic to their own website domain name, but not jump to the buyer's website, but completely quote the buyer's website content. The buyer can also benefit, which is called "framework cooperation" in the industry.

"In order to maximize their profits, hijackers are generally unwilling to set up direct cooperation. They mainly adopt jump cooperation and framework cooperation. Once there is a higher bid, the hijacked traffic can be transferred away immediately." The above-mentioned security industry insider told reporters.

Traffic collection intermediaries purchase traffic from traffic hijackers, and traffic buyers purchase traffic from traffic collection intermediaries. "There are several large traffic intermediaries that can easily control huge traffic of millions of IPs every day. The business of the companies they run appears to be normal on the surface, but they are secretly engaged in some traffic hijacking and junk advertising businesses." An industry insider familiar with the industry chain revealed to the IT Times reporter.

Fighting traffic hijacking

It takes time to achieve success

On December 25, 2015, six Internet companies including Toutiao, Meituan Dianping, 360, Tencent, Weibo, and Xiaomi Technology jointly issued a "Joint Statement of the Six Companies on Resisting Traffic Hijacking and Other Illegal Acts", calling on relevant operators to strictly crack down on traffic hijacking and pay attention to the serious consequences that may result from Internet companies being hijacked by traffic.

This open letter puts telecom operators in an extremely passive position.

"As a service provider of basic networks, even if operators want to crack down on and prevent traffic hijacking, hackers can hijack the traffic through routers and other means and then sell it," said an operator insider.

According to the reporter's understanding, telecom operators have relevant preventive measures against illegal traffic hijacking, but hijacking systems still infiltrate through various means. Taking the common DNS server hijacking as an example, telecom operators have provincial DNS servers and municipal and county DNS servers. Servers of different levels have jurisdictions of different sizes. Provincial DNS servers have a high security level, more standardized management, and fewer malicious hijacks. There are relatively more cases of malicious hijacking of user access on city-level and county-level DNS servers.

"In the Internet world, traffic equals money. When some companies cannot obtain enough traffic through normal channels, buying traffic becomes the first choice." Another Internet person who did not want to be named told reporters.

"The interest chain is the breeding ground for traffic hijacking and black production." Luo Hui, assistant to the president of 2345, told the IT Times reporter. In November 2015, the People's Court of Pudong New Area, Shanghai, ruled on the country's first criminal case of traffic hijacking, and two defendants were sentenced for selling hijacked 2345 website traffic. However, traffic hijacking has not stopped to this day. Luo Hui revealed that the hijacking of 2345 URL navigation's overall traffic causes the company a loss of three to four million yuan every month.

When their own interests are harmed, Internet companies begin to increase their efforts to combat traffic hijacking. According to Luo Hui, 2345 has formed a comprehensive anti-hijacking system that includes business anti-hijacking monitoring systems, page anti-hijacking technology, and promotion platform anti-cheating systems. It has also strengthened collaborative research by building a technical alliance to provide strong technical support for network security.

"Traffic hijacking is difficult to regulate. From a technical point of view, regulatory authorities do not know how to regulate and prevent it, and the regulatory efforts are not strong enough. They should communicate more with telecom operators to prevent people from hijacking telecom DNS servers for personal gain." The above person said.

Journalist's Notes

Don't stretch your hand, or you will be caught

In the vast Internet world, there is always a shortage of people who hope to make money quickly. Where there is a demand, there are people who will help you meet it. However, the law will not tolerate traffic hijacking. Article 286 of the Criminal Law stipulates that "if anyone violates state regulations and deletes, modifies or adds data and applications stored, processed or transmitted in a computer information system, and the consequences are serious, he shall be sentenced to fixed-term imprisonment of not more than five years or criminal detention; if the consequences are particularly serious, he shall be sentenced to fixed-term imprisonment of not less than five years." In the above-mentioned traffic hijacking case, the two defendants were sentenced to three years in prison and three years of probation.

In the short term, due to huge interests, this "devil's hand" will not disappear and will continue to ravage the Internet and users. But don't forget that the net of heaven is vast and you will be caught if you stretch your hand.