1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Verisign: The Ultimate Browser Hijacker

Discussion in 'Virus & Other Malware Removal' started by NiteHawk, Oct 1, 2003.

Thread Status:
Not open for further replies.
  1. NiteHawk

    NiteHawk Thread Starter

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Source:
    http://www.spywareinfo.com/newsletter/archives/0903/24.php

    The Ultimate Browser Hijacker

    Verisign, custodian of the .net and .com registry, recently began redirecting all mis-typed internet addresses for web sites that don't exist so that web surfers end up on Verisign's pay-per-click search portal. This has broken countless millions of spam filters, networking tools, and blocked all competing error page redirection services. Verisign has become the ultimate browser hijacker.
    The internet community is in an unprecedented uproar. Tens of thousands of angry IT geeks at Slashdot rushed to sign an online petition targeted at ICANN demanding that it use its authority over Verisign to force it to stop hijacking mis-typed domains. After the first ten thousands signatures were received, printed copies were sent to ICANN via FedEX.
    ICANN has sent Verisign a letter asking that it voluntarily suspend the hijackings while they discuss the situation. Verisign refused the request.
    The developer of BIND, the software running on most of the world's Domain Name Servers (DNS), has released a patch that nullifies Verisign's hijack. This patch can be downloaded at http://www.isc.org/products/BIND/delegation-only.html.
    Poplar Enterprises, another company which uses error page redirection at the browser level to drive traffic to pay-per-click sites, has sued Verisign in US Federal Court claiming unfair competition. Rival domain name registrar Go Daddy Software also has filed a lawsuit in Federal Court.
    Your Privacy At Risk
    Privacy activist Richard Smith has announced that he has discovered a web bug embedded in the page on which surfers land when they mis-type a web address. This web bug, set by internet advertising company Overture, sets a cookie and can be used to track surfers for five years before it expires.
    "This certainly means the culling of some information", said Smith. "They're getting a sense of what domain names are mistyped, and perhaps this can be used by a domain name sales company. In addition, Overture is a pay for click search engine, with questionable affiliates."
    It is possible that Verisign could correlate surfers' IP addresses with those cookies and potentially could identify people with whom they have business relationships. Verisign holds digital certificates for two million individual certificate holders and has access to those customers' personally identifiable information.
    Verisign and Overture also are receiving vast amounts of personally identifiable information about people when they fill out a form that is coded incorrectly. If someone fills out a form and the webmaster has misspelled his own website, that information will be sent to Verisign instead of its proper destination. This includes potentially credit card information.
    When people attempt to log into a secure web site, if they misspell the address or if the link they are clicking is misspelled, Verisign and Overture receive the log-in name and password.
    Verisign also is receiving every email in which someone mis-types the address of the recipient. Verisign potentially can read the contents of those emails. Verisign is receiving the addresses of both the sender and recipient, as well as the log-in password of the sender. This is significant in that Overture, Verisign's partner in all this, is a known spammer (Overture denies this, of course).
    Correction. Verisign can't capture the password of the sender unless the sender attempts to log into a mail server at an unregistered domain.
    Ironically, Verisign's hijacking is assisting the more common browser hijackers that we usually deal with at SpywareInfo. Already, we are seeing several browser hijackers altering victims' HOSTS files in a way that redirects Verisign's hijacker site to their own hijacker sites.
    The HOSTS file tricks Windows into thinking that Verisign's web site is located on the attacker's web server. The script kiddies now can boost their traffic on every error a victim makes when they mis-type an address, just as Verisign hopes to do.
    Blocking Verisign's Hijack
    Most ISPs have applied the BIND patch to block Verisign's hijacking. If your ISP has not done this, then your privacy is at grave risk from Verisign. If you end up at Verisign's search portal when you mis-type a domain, then you need to contact your ISP immediately and ask them to apply the patch as soon as possible.
    You can also block this web site yourself with these very simple steps posted by mjc at the SWI message boards.
    Add the following to your HOSTS file:
    127.0.0.1 sitefinder.Verisign.com #Block Verisign SiteFinder
    127.0.0.1 sitefinder-idn.Verisign.com #Block Verisign SiteFinder
    If you have Windows 95, 98, or ME, your HOSTS file is located at C:\windows\HOSTS. If you have NT or 2000, your HOSTS file is located at c:\winnt\system32\drivers\etc\HOSTS. If you have XP, the file is at c:\windows\system32\drivers\etc\HOSTS.
    This will block most, if not all of the redirects.
    If you have a firewall that allows IP blocking you can add the following IPs to its blocklist.
    12.158.80.10
    64.94.110.11
    Block traffic to those IP address in both directions and in all applications and protocols.
    Hopefully Verisign will realize soon that they cannot enrage every person on the planet and continue to conduct business. If they don't and they continue with this hijacking, then hopefully the companies advertising on Verisign's web site will realize they are likely to face a general boycott for financing Verisign's hijacking. One way or the other, this browser hijacking and invasion of privacy will not be tolerated by the internet community.
    Discuss this at the forums
    Links:
    http://slashdot.org/ :: Slashdot
    http://www.mjc1.com/ :: mjc's web site
    http://www.computerbytesman.com/ :: Richard Smith's site
    http://www.adsubtract.com/advisor/feat_bugs.html :: Web Bugs: Harmless Images, or Invisible Spies?
    http://www.theregister.co.uk/content/6/32926.html :: Verisign's SiteFinder finds privacy hullabaloo
    http://forums.spywareinfo.com/index.php?showtopic=11539 :: Discuss this at the forums
    http://www.mikehealan.com/articles/releases/godaddy_verisign.php :: Go Daddy Software Sues Verisign
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/168731

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice