[colug-432] WOW is hijacking my Google searches, but how?

Keith Larson klarson at k12group.net
Tue Mar 26 17:56:27 EDT 2013


They certainly do this for "Amber Alerts".


>>> Rick Troth <rmt at casita.net> 3/26/2013 5:40 PM >>>
Others will know better details than I do,
but it comes to mind that it's *easy* for any provider to insert their
own caching layer between you and the world.  Not saying WOW is doing
this, but it's trivial for them to trap all port 80 traffic and serve
up cached content ... or doctored content (or redirection, or
whatever!).  Caching is justified by reducing their upstream port 80
burden.  (For varying values of "justified".)

Conspiracy theorists unite!   :-)

-- R; <><



On Tue, Mar 26, 2013 at 5:12 PM, Rob <res at colnet.cmhnet.org> wrote:
> For the past few days, I have been working on building Mint 14 system
> on a second disk on my main PC.  I hate to transition, but my preferred
> OS for the past three years (Ubuntu 10.04) will be going EOL next month
> and I have to do something.  Frankly, I've run into a number of problems
> with Mint that I find rather disturbing -- is Mint really being marketed
> as made-for-prime-time? -- but perhaps the most disturbing might not
> even involve Mint, although I'm increasingly suspicious it does.
>
> First, I'm a WOW customer for broadband, and have generally been happy
> with them.  The Firefox disseminated with Mint comes with several
> add-ons which cannot be removed (at least not easily), although they
> can be disabled.  One is "Mint Search Enhancer 1.0" (whatever that is).
> I told Firefox early-on to disable it and it said it did.  Mint Firefox
> also does not have a Google option in the search box on the Navigation
> toolbar by default, but it is fairly easy to add it.  And that's where
> the trouble starts:
>
> When I add Google, and then try to use it to search from the search box,
> I (often, but not always) get redirected to the following website:
>
> http://64.233.232.17/bg/search-col/index.html?policy=1285&q=tab+groups
>
> (Here, I was searching for "tab groups" at the time.)  This website
> has WOW branding -- that is, if it returns at all, I often get left
> high and dry -- but no useful information that I can tell, and a
> small opt-out URL at the very bottom.  If I opt out, it appears to
> leave me alone for good, i.e., it doesn't seem to rely on a cookie.
> However, if I go to another userid on that machine and again invoke
> Firefox, it's back, so it does seem to be browser dependent.
>
> A reverse DNS lookup yields 64-233-232-17.static.nap.wideopenwest.com
>
> When I first click on the search box with Google selected as the
> engine, my DNS server sees two google.com inquiries and nothing else.
>
> My question:  How are they doing this?  First, I run my own DNS
> servers on my local LAN.  I do not use WOW (or any other external)
> servers for my DNS.  A dump of my Bind named cache only shows the
> 64.233.232.17 IP on a reverse lookup which I did.  But, it does seem
> to more-or-less happily be serving up the copious lookups that Firefox
> requests of it.  So, it would appear to me this cannot be a DNS exploit.
> So, how is it being perpetrated?  If I visit Google directly, the browser
> globs onto its https entry, and of course, then I get the real McCoy.
> Even if force a non-encrypted connect, it seems to work OK there.
>
> Did Mint serve me a doctored search-engine add-on that redirects my
> queries to WOW?  (But, if so, how did they even know I'm a WOW customer?)
> Is WOW doing something really nefarious like masquerading as Google's IP
> addresses on their network and then doing a redirect?  Has anyone else
> encountered this?  There does seem to be some hits about this when I
> query the search engines, but nothing that comes close to a good
> explanation of that's going on.  It's really got me baffled.
>
> Any ideas?
>
> Rob
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432



-- 
-- R;   <><
_______________________________________________
colug-432 mailing list
colug-432 at colug.net
http://lists.colug.net/mailman/listinfo/colug-432
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20130326/0011a326/attachment.html 


More information about the colug-432 mailing list