Devices found at Telecom Egypt demarcation points have been found to be surreptitiously redirecting Egyptian Internet users to advertisements and cryptocurrency mining sites, according to a report published by Citizen Lab at the University of Toronto Friday, March 9.
The technology research lab’s report explains that the scheme, referred to as Adhose, operates via middleboxes, computer networking devices for manipulating internet traffic. The report identifies two modes of redirection used on Egyptian citizens: “spray mode” and “trickle mode.” “Spray mode” means that a middlebox “redirects Egyptian Internet users en masse to ads or cryptocurrency mining scripts whenever they make a request to any website,” and is seemingly used “sparingly.”
“Trickle mode” means that only attempts to open certain URLs redirects users to these ads or mining scripts, specifically CopticPope.org (which was formerly the website of the Pope of the Coptic Orthodox Church of Alexandria) and Babylon-X.com (formely a porn site).
Coinhive, a Monero mining platform that positions itself to sites as an online advertising alternative, was also listed in the table of links for AdHose middleboxes to redirect Egyptian users.
Coinhive has previously been linked to a large case of cryptojacking at the end of January 2018, when hackers ran YouTube ads with a Coinhive script that secretly used up the users’ CPU power for mining. American cable network Showtime was also found to be using Coinhive on two of their websites as an alternative for advertisements back in September of last year, albeit without informing their customers. After Showtime’s surreptitious use of the mining script was exposed, Coinhive announced that in future it would seek permission from users before using their computers to mine Monero.
Citizen Lab’s report showed that the same middlebox that runs AdHose was also responsible for Internet censorship in Egypt, blocking websites for Human Rights Watch and the news outlet Al Jazeera.
The report noted as well that middleboxes in Turkey and Syria were redirecting users attempting to download software to different versions of the same software with spyware attached.
A fingerprint of a network injection of the middleboxes, deep packet inspection (DPI) devices, was patched with a second-hand PacketLogic device made by Canadian network equipment company Sandvine.
In the report, Sandvine denied that their products could be used in such a manner, and highlighted to Citizen Lab their human rights protection standards that prompt a review of a sale when the customer is part of a country ranked low on the Worldwide Governance Indicators.
Citizen Lab writes in their report that Sandvine’s safeguards have “come up short,” and recommends that the company begin engaging in “regular consultation with civil society regarding its human rights due diligence and business ethics program.”
While Egypt’s first Bitcoin exchange was reported to be opening in August 2017, the Egyptian government has taken a hard line against cryptocurrencies in the country. Egypt’s top cleric called Bitcoin (BTC) “unlawful” under Sharia law in January of this year.
A year earlier in February 2017, a Sharia law expert had told Bitcoincloud that since Islam has historically only recognized “commodities of intrinsic value” as money, “Bitcoin probably misses the mark.” It is unclear how Monero or Coinhive’s mining script would thus fall under Sharia law.