wesley tanaka

New Use for Great Firewall Technology: China's ISP Adding Advertisements to Webpages

Home » All Posts
‹ Bikini Underwear Clad Women Playing Soccer in the Mud | Music and Emotion ›
Submitted by wtanaka on Mon, 2006-06-26 19:05. ()

Sometime this May, I noticed advertisements appearing on the bottom of certain web pages (perhaps one out of every hundred or more that I visited). This example screen shot was taken on May 29, 20:11 CST. See the ad at the bottom of the screen shot.

screen shot

After seeing the ad on my own site, I was certain that it was not authored into the web pages I was visiting; It was somehow being injected into the web browsing experience by my ISP. I looked at the source for several of the ad-laden pages, and I found this: 

<html> <meta http-equiv='Pragma' content='no-cache'> <head> <title></title> <script LangUage='JavaScript'>try{var tmp=parent.window.location.href}catch(e){window.location.reload();}</script> </head> <frameset framespacing=0 border=0 rows='*,0' frameborder=0 onload="window.lxmainframe.location='http://ad4.sina.com.cn/sina/ziguang/yunnan/frame.html?url='+window.location;"> <frame name='lxmainframe' src='about:blank' scrolling='auto'> <frame name='lxblankframe' src='about:blank' scrolling='no'> </frameset> </body></html>

It's a little piece of Javascript which:

  1. loads up the ad at the bottom of the screen
  2. loads up the webpage you originally wanted to view

I don't know enough Chinese to do any extensive web searching on the URL http://ad4.sina.com.cn/sina/ziguang/yunnan/frame.html, but I found it in several referrer logs, and I found a report of at least one other person experiencing this ad injection. I'd be curious to know where profits are going.

I had initially guessed that there was a technical employee in my local (or perhaps province) China Telecom office who rigged this up to deposit the proceeds into his/her own pocket, but google's index contains similar URLs which refer to three different provinces in China: Yunnan (where I am), Henan, and Liaoning. Additionally, the advertisement link does not seem to contain any kind of affiliate code or user id. Both these facts suggest that this practice is more wide-spread and more institutionalized than I had thought.

More recently, the ad has changed to this: 

<html><meta http-equiv='Pragma' content='no-cache'><meta http-equiv='Refresh' content='0;URL='><script LangUage='JavaScript'>{child=window.open('http://www.smallqqg.com/frame_51edu.html','','width=800,height=600,toolbar=yes,menubar=yes,location=yes,resizable=yes,status=yes');child.blur();}</script><head><title></title></head><body></body></html>

This shows up as a much less annoying "blocked popup" in Firefox. Out of curiosity, I visited http://www.smallqqg.com/frame_51edu.html just now and, ironically enough, it appears to be blocked by the Great Firewall.

On the subject of the Great Firewall: it has a certain feature where, if anything in your HTTP connection contains certain filtered words, all connections to that webserver will be blocked for a few minutes afterward. Replacing of a percentage of webpages with advertisements (which then point back at the original web page) is much less sophisticated and was probably pretty easy to implement. In all likelihood, what's happening here is that, like its namesake, The Great Firewall -- technology primarily meant for controlling information -- is now being used to make money.

Questions

Updated: 2006-06-29

Can't you use a javascript blocker like Noscript or Adblock?
No. The javascript looks is coming directly from the webserver that I'm visiting (i.e. it appears to be served by us.f123.mail.yahoo.com). If I were to block it, I'd also disable the part of the script that loads the original page after the ad is loaded
Isn't this just spyware?
It could be, but it seems like it's:
  • For Linux
  • Specific to Yunnan
  • Institutionalized somehow, in that there's no information about which account to credit with the ad impressions

I would like to do more testing, but it's come up only very sporadically, and appears (in the past few days) that it may have even stopped.

Update (2006 Jun 29)

It just occurred again on a visit to http://www.imdb.com/title/tt0093207/ 

 <html> <meta http-equiv='Pragma' content='no-cache'> <meta http-equiv='Refresh' content='0;URL='> <script> window.open('http://365tan.com/wxku.html'); </script> <head> <title></title> </head> <body></body>
</html>

Again, it was blocked by firefox's popup blocker. I should try browsing with konqueror for a while to eliminate the possibility that this is an evil firefox extension.

See Also

More examples of China Telecom web spam

»

Ad Injection on CNC China Netcom

Submitted by Anonymous (not verified) on Tue, 2008-06-24 12:13.

I am experience full page ads that wait for 5 seconds before loading the requested page several times a day.

I am a network engineer in Qingdao, CN and I tested several VPNs. It is definitely CNC injecting pages.

»
Syndicate content