Widespread Hijacking of Search Engine Traffic in US

Users must trust their ISP's DNS servers to correctly return IP addresses that indeed belong to the site the user intends to visit. In some instances, however, this trust may not be warranted.

Earlier this year, two research papers reported the observation of strange phenomena in the Domain Name System (DNS) at several US ISPs. On these ISPs' networks, some or all traffic to major search engines, including Bing, Yahoo! and (sometimes) Google, is being directed to mysterious third party proxies.

RESEARCHERS at the International Computer Science Institute in Berkeley, California, have uncovered a major search traffic hijacking operation instrumented by a dozen US Internet service providers and a company specialising in affiliate marketing revenue generation.

The scheme works by redirecting people's search requests through proxy servers designed and operated by a company called Paxfire. The requests are then passed to affiliate programs run by Commission Junction, the Google Affiliate Network, Linkshare, or Ask.com.

Retailers pay money through these programs to those who direct customers to their business. These affiliates earn a commission for every user who ends up making a purchase or signing up for an offer.

According to Christian Kreibich and Nicholas Weaver, the two researchers who have been monitoring this operation for months, only some particular queries like "apple," "dell," "safeway" or "bloomingdales" are being hijacked.

A user who types any of these words in their web browser's address bar expects to be taken to a search page on their favorite search engine. Instead, they are directly taken to the websites of the corresponding companies that pay Paxfire and the ISP for the traffic.

Some less specific queries are also being hijacked. For example, typing Kindle in the address bar takes users to Amazon's website instead of a search engine page that also has links to Ebay, Wikipedia and reviews web sites. This deprives search engines of traffic and takes freedom of choice away from users.

According to a technical analysis published by the Electronic Frontier Foundation (EFF), some of the major ISPs using Paxfire's redirect services include Cavalier, Cogent, Frontier, Fuse, DirecPC, RCN and Wide Open West.

New Scientist reports that New York based law firms Reese Richman and Milberg have already filed a class action lawsuit against RCN and Paxfire claiming violations of the Federal Wiretap Act's privacy safeguards. It also notes that as of August 2011 all major ISPs involved in the scheme have stopped hijacking traffic destined for Google, but still redirect Bing and Yahoo queries.

The two researchers point out that Paxfire's product contains an optional feature that passes people's entire search traffic through web proxies before directing the requests to the search engines. The purpose of this action is to collect information about what users are searching for and build search profiles.

Google recently announced that millions of computers are infected with a click fraud trojan that redirects search engine traffic through proxy servers run by its creators, in a similar way to Paxfire's patented technology. The company took the unprecedented step of warning affected users through alerts displayed at the top of its search page.

T his tool will tell you if your searches are being hijacked :