Devices found at Telecom Egypt demarcation points have been found to be surreptitiously redirecting Egyptian Internet users to advertisements and cryptocurrency mining sites, according to a report published by Citizen Lab at the University of Toronto Friday, March 9.
The technology research lab’s report explains that the scheme, referred to as Adhose, operates via middleboxes, computer networking devices for manipulating internet traffic. The report identifies two modes of redirection used on Egyptian citizens: “spray mode” and “trickle mode.” “Spray mode” means that a middlebox “redirects Egyptian Internet users en masse to ads or cryptocurrency mining scripts whenever they make a request to any website,” and is seemingly used “sparingly.”
“Trickle mode” means that only attempts to open certain URLs redirects users to these ads or mining scripts, specifically CopticPope.org (which was formerly the website of the Pope of the Coptic Orthodox Church of Alexandria) and Babylon-X.com (formely a porn site).
Coinhive, a Monero mining platform that positions itself to sites as an online advertising alternative, was also listed in the table of links for AdHose middleboxes to redirect Egyptian users.
Coinhive has previously been linked to a large case of cryptojacking at the end of January 2018, when hackers ran YouTube ads with a Coinhive script that secretly used up the users’ CPU power for mining. American cable network Showtime was also found to be using Coinhive on two of their websites as an alternative for advertisements back in September of last year, albeit without informing their customers. After Showtime’s surreptitious use of the mining script was exposed, Coinhive announced that in future it would seek permission from users before using their computers to mine Monero.
Citizen Lab’s report showed that the same middlebox that runs AdHose was also responsible for Internet censorship in Egypt, blocking websites for Human Rights Watch and the news outlet Al Jazeera.
The report noted as well that middleboxes in Turkey and Syria were redirecting users attempting to download software to different versions of the same software with