[colug-432] WOW is hijacking my Google searches, but how?

Rob res at colnet.cmhnet.org
Tue Mar 26 17:12:32 EDT 2013


For the past few days, I have been working on building Mint 14 system
on a second disk on my main PC.  I hate to transition, but my preferred
OS for the past three years (Ubuntu 10.04) will be going EOL next month
and I have to do something.  Frankly, I've run into a number of problems
with Mint that I find rather disturbing -- is Mint really being marketed
as made-for-prime-time? -- but perhaps the most disturbing might not
even involve Mint, although I'm increasingly suspicious it does.

First, I'm a WOW customer for broadband, and have generally been happy
with them.  The Firefox disseminated with Mint comes with several
add-ons which cannot be removed (at least not easily), although they
can be disabled.  One is "Mint Search Enhancer 1.0" (whatever that is).
I told Firefox early-on to disable it and it said it did.  Mint Firefox
also does not have a Google option in the search box on the Navigation
toolbar by default, but it is fairly easy to add it.  And that's where
the trouble starts:

When I add Google, and then try to use it to search from the search box,
I (often, but not always) get redirected to the following website:

http://64.233.232.17/bg/search-col/index.html?policy=1285&q=tab+groups

(Here, I was searching for "tab groups" at the time.)  This website
has WOW branding -- that is, if it returns at all, I often get left
high and dry -- but no useful information that I can tell, and a
small opt-out URL at the very bottom.  If I opt out, it appears to
leave me alone for good, i.e., it doesn't seem to rely on a cookie.
However, if I go to another userid on that machine and again invoke
Firefox, it's back, so it does seem to be browser dependent.

A reverse DNS lookup yields 64-233-232-17.static.nap.wideopenwest.com

When I first click on the search box with Google selected as the
engine, my DNS server sees two google.com inquiries and nothing else.

My question:  How are they doing this?  First, I run my own DNS
servers on my local LAN.  I do not use WOW (or any other external)
servers for my DNS.  A dump of my Bind named cache only shows the
64.233.232.17 IP on a reverse lookup which I did.  But, it does seem
to more-or-less happily be serving up the copious lookups that Firefox
requests of it.  So, it would appear to me this cannot be a DNS exploit.
So, how is it being perpetrated?  If I visit Google directly, the browser
globs onto its https entry, and of course, then I get the real McCoy.
Even if force a non-encrypted connect, it seems to work OK there.

Did Mint serve me a doctored search-engine add-on that redirects my
queries to WOW?  (But, if so, how did they even know I'm a WOW customer?)
Is WOW doing something really nefarious like masquerading as Google's IP
addresses on their network and then doing a redirect?  Has anyone else
encountered this?  There does seem to be some hits about this when I
query the search engines, but nothing that comes close to a good
explanation of that's going on.  It's really got me baffled.

Any ideas?

Rob


More information about the colug-432 mailing list