China - Accessing FT from China new weirdness

Anybody accessing this site from inside China (China Unicom ISP) without your VPN on, and using Firefox as browser, check and see if you are getting a strange intermittent pop-up with: "202.106.33.158/DNS/popup.html" in the address bar. Lookup shows this is a China Unicom IP address. There is no content in the box, just the IP address.

It stays up for a few seconds, then goes away, then pops up again. Besides being annoying, it's a bit unnerving--ike a reminder that "Big Brother is Watching." And it's new, didn't happen yesterday. So far haven't had it happen with other websites in Firefox but haven't been on Net long this morning. Will try a check on FT using other browsers as well.

ETA: Seems to happen every time you click to view different page or different thread.

Doesn't appear to be the dreaded Net Nannies but rather the almost-as-nefarious advertisers. At least here, accessing that URL displays an ad:

http://huixing.latitude415.com/etc/popupad_1.jpg

Looking at the source for the page also uncovers things like adFrame_2608BD7F_EDB2_976D_8F4C_C032B747AD04 and hxxp://202.106.195.182/adpolestar/door/;ap=2608BD7F_EDB2_976D_8F4C_C032B747AD04;ct=js;pu= afp, all of which suggest that this is some type of advertising scheme. Also, the auto-closing is explained by a bit of JavaScript that sets it to close after 20,000ms or 20 seconds.

Is it possible you got some type of Chinese adware on your system? Or, alternatively, it could be that your ISP is injecting these ads into the sites you visit, a possibility suggested by the DNS reference in the URL. Do you have AdBlock installed in Firefox, explaining why it just appears as a blank window?

Browsing FT on FF without VPN right now, and not experienced these issues, but no idea who my ISP provider is: landlord had installed and paid for our internet.

I think that some adware is the most likely reason.

tb

I get the China Telecom "Happy New Year" special pricing for optic fiber contract advert when I open my browser these days.

Not quite the same advert you are seeing though but it pops up on the bottom right side of the screen each time even when I connect to vpn which was disconcerting.

Doesn't appear to be the dreaded Net Nannies ?

Maybe these guys are making some headway.:(

Gipson Hoffman & Pancione, the law firm representing Solid Oak Software in its $2.2 million lawsuit against the Chinese government.

I get the China Telecom "Happy New Year" special pricing for optic fiber contract advert when I open my browser these days.

Same here. Sometimes pops up when connecting to hotmail, this is without using a VPN. No problems when using FT though.

Doesn't appear to be the dreaded Net Nannies but rather the almost-as-nefarious advertisers. At least here, accessing that URL displays an ad:

http://huixing.latitude415.com/etc/popupad_1.jpg

Looking at the source for the page also uncovers things like adFrame_2608BD7F_EDB2_976D_8F4C_C032B747AD04 and hxxp://202.106.195.182/adpolestar/door/;ap=2608BD7F_EDB2_976D_8F4C_C032B747AD04;ct=js;pu= afp, all of which suggest that this is some type of advertising scheme. Also, the auto-closing is explained by a bit of JavaScript that sets it to close after 20,000ms or 20 seconds.

Is it possible you got some type of Chinese adware on your system? Or, alternatively, it could be that your ISP is injecting these ads into the sites you visit, a possibility suggested by the DNS reference in the URL. Do you have AdBlock installed in Firefox, explaining why it just appears as a blank window?

Sneaky adware/malware is possible--unlikely--but I'll try to check and take countermeasures. Second is definitely possible and maybe best explanation--the ISP is indeed China Unicom. But it's odd that I haven't found any site browsed via Firefox (besides FT) where this is getting inserted.

Yes, I do have AdBlock installed. Thanks for your technical input! For now, I am using a different browser for accessing FT. It's an incredibly annoying popup.

Sneaky adware/malware is possible--unlikely--but I'll try to check and take countermeasures.

jiejie: Since you appear to be the only one of us experiencing these problems, my money is on the "malware" theory. When IB made us ambassadors, they gave us the ad free version of FT as a token of their appreciation for our contributions here; I don't see ANY ads on FT, with or without VPN.

jiejie: Since you appear to be the only one of us experiencing these problems, my money is on the "malware" theory. When IB made us ambassadors, they gave us the ad free version of FT as a token of their appreciation for our contributions here; I don't see ANY ads on FT, with or without VPN.

I checked and diagnostics couldn't find any malware. Also if it was malware, I'd probably be getting whammies thrown at me when visiting other sites, and that didn't happen. Am now on FT using Firefox again, and that popup is completely gone now. It's possible it was something time-limited and targeted to Unicom users in specific areas. I know that Unicom has different server links depending on what part of the city you are in.

As for the general ad issue, yes of course I also am ad-free on FT once I log in, with or without VPN. That Chinese popup came up in a completely separate window, not as a frame on the FT site.

@jiejie

You're not crazy. That's about the same time I started receiving the ads. There is a little box that pops up in the bottom-right-hand corner of my screen. The ads on my computer are for 10010 (China Unicom). I had a hunch it was them, but I decided to rule out the other possibilities first. Scans by various antivirus/malware/adware software detected nothing. I confirmed it was not a new type of advertising by the websites. With that out of the way, I called up China Unicom and I complained about pop-up ads; the representative stated that I had agreed to them in my contract when I signed up for internet service. It must be nice being a monopoly (many neighborhoods in China, including mine, only allow one ISP). At least they didn't deny it like they do every time I call up and complain that I can't access YouTube, Facebook, etc. (Yes, I do realize that they are blocked, but sometimes it's just fun to mess with the system. :p) Anyway, they aren't the first ISP to insert ads (search for "Phorm" or "ISP inserting ads"). Hopefully, these bad advertising practices by ISPs will be the next story to go viral on Weibo.

Also, apparently, this has been going on a long time, so maybe we're actually lucky we are only now experiencing it:
http://www.marc.cn/2010/07/china-unicom-keeps-on-serving-ads-without-permission.html
http://news.ichinastock.com/2011/04/qiyi-ceo-accuses-china-unicom-of-sabotaging-user-experience-with-pop-up-ads/

@jiejie

You're not crazy. That's about the same time I started receiving the ads. There is a little box that pops up in the bottom-right-hand corner of my screen. The ads on my computer are for 10010 (China Unicom). I had a hunch it was them, but I decided to rule out the other possibilities first. Scans by various antivirus/malware/adware software detected nothing. I confirmed it was not a new type of advertising by the websites. With that out of the way, I called up China Unicom and I complained about pop-up ads; the representative stated that I had agreed to them in my contract when I signed up for internet service. It must be nice being a monopoly (many neighborhoods in China, including mine, only allow one ISP). At least they didn't deny it like they do every time I call up and complain that I can't access YouTube, Facebook, etc. (Yes, I do realize that they are blocked, but sometimes it's just fun to mess with the system. :p) Anyway, they aren't the first ISP to insert ads (search for "Phorm" or "ISP inserting ads"). Hopefully, these bad advertising practices by ISPs will be the next story to go viral on Weibo.

Also, apparently, this has been going on a long time, so maybe we're actually lucky we are only now experiencing it:
http://www.marc.cn/2010/07/china-unicom-keeps-on-serving-ads-without-permission.html
http://news.ichinastock.com/2011/04/qiyi-ceo-accuses-china-unicom-of-sabotaging-user-experience-with-pop-up-ads/



Thanks for confirming my sanity is still intact! The Chinese are complaining about this on the BBS's. It's apparently Beijing Unicom, a subset of China Unicom, and it's dependent on where you are located and what your building/apartment has hooked up. Which is why I seem to be one of the few on FT experiencing it. Also started getting it on IE browser, but not Opera (so far). Firefox: there is a fix.
Open Firefox (try to have latest or recent version).
Go to Tools.-->Addons-->search in the box for NoScript.
When NoScript comes up (curr version 2.2.8) Install it, and then Restart Firefox. This took care of it for me.
If however, the popup happens again, click on the curvy "S" NoScript icon that's now on your toolbar, and select Untrusted. That little popup may appear as family001.com--so send that sucker to Untrusted. And Restart Firefox again.

This ISP-inserted advert thing has not crashed or hung up my browsers yet, but I have read reports from Chinese users that that has been a problem. :td:

Having the VPN on or off makes no difference in this nasty phenomenon. But interestingly, so far of the international websites I've visited (which is about 95% of my usage), it only happens on FT.

ETA: If any of you tech-savvy readers have further ideas on how to combat this corporate hijacking of my internet peace, please advise!

@jiejie

You're not crazy. That's about the same time I started receiving the ads. There is a little box that pops up in the bottom-right-hand corner of my screen. The ads on my computer are for 10010 (China Unicom). I had a hunch it was them, but I decided to rule out the other possibilities first. Scans by various antivirus/malware/adware software detected nothing. I confirmed it was not a new type of advertising by the websites. With that out of the way, I called up China Unicom and I complained about pop-up ads; the representative stated that I had agreed to them in my contract when I signed up for internet service. It must be nice being a monopoly (many neighborhoods in China, including mine, only allow one ISP). At least they didn't deny it like they do every time I call up and complain that I can't access YouTube, Facebook, etc. (Yes, I do realize that they are blocked, but sometimes it's just fun to mess with the system. :p) Anyway, they aren't the first ISP to insert ads (search for "Phorm" or "ISP inserting ads"). Hopefully, these bad advertising practices by ISPs will be the next story to go viral on Weibo.

Also, apparently, this has been going on a long time, so maybe we're actually lucky we are only now experiencing it:
http://www.marc.cn/2010/07/china-unicom-keeps-on-serving-ads-without-permission.html
http://news.ichinastock.com/2011/04/qiyi-ceo-accuses-china-unicom-of-sabotaging-user-experience-with-pop-up-ads/


Awesome first post!

Having the VPN on or off makes no difference in this nasty phenomenon. But interestingly, so far of the international websites I've visited (which is about 95% of my usage), it only happens on FT.


It may be that you're not doing your DNS lookups over the VPN. See if your VPN client allows you to configure it so that DNS traffic gets sent over the VPN rather than in the clear.

Theoretically if everything were sent over the VPN then they would have no way of inserting ads, unless they planted malware on your machine.

It may be that you're not doing your DNS lookups over the VPN. See if your VPN client allows you to configure it so that DNS traffic gets sent over the VPN rather than in the clear.

Theoretically if everything were sent over the VPN then they would have no way of inserting ads, unless they planted malware on your machine.

--The DNS traffic is definitely being sent through the VPN. The VPN client configuration for China includes auto-flushing the DNS cache upon access and upon shutdown.
--No malware on machine (that anybody can find.)
--Doesn't happen except accessing from my current (temporary) apartment, which is China Unicom service. Unless I'm missing something, the computer still has to access an ISP even before I activate the VPN. And it seems that THIS is the conceptual electronic interface point where the ISP is inserting the pop-up. How do you access the internet with no ISP?!?! While China (Beijing) Unicom can't see where I'm surfing over the VPN, they can tell that it's a computer hooked up to their ISP servers. And then if I happen to be in an advertising-targeted location, I'll get the popup along with the other users in that area.

--Doesn't happen when I take my computer to work and access, which is a different provider/ISP.
--Pop-up is a separate small window, not part of any frame of any website, and is sporadic....maybe most of the day, every 3-4 days. In Firefox with NoScript Addon, blitzed it. It did start popping up on IE also.

Since it's a temporary apartment and the service, though included in the rent, was not of my choosing and not in my name, I'll have to suck it up and deal, but since (per the Chinese chatter) it seems to be a China/Beijing Unicom problem, I'd probably not use them as a provider voluntarily, except if absolutely no other choice.

I'll have to suck it up and deal, but since (per the Chinese chatter) it seems to be a China/Beijing Unicom problem, I'd probably not use them as a provider voluntarily, except if absolutely no other choice.

I started getting these pop ups about a month ago and I've got service from telecom. I just put it down as another annoying thing that I'll have to live with as I doubt my complaints to China Telecom will result in much;)

The DNS traffic is definitely being sent through the VPN. The VPN client configuration for China includes auto-flushing the DNS cache upon access and upon shutdown.

The DNS cache may be getting flushed upon connect, but if your computer is still, for whatever reason, sending DNS requests to China Unicom's servers through the VPN, this could explain why you're still seeing the ads.

Try manually changing your DNS servers for your network device, not just your VPN client, to something like 8.8.8.8 and 8.8.4.4. This would conclusively eliminate the possibility that it's a DNS issue, which is what I suspect given your current explanation and some of the code in the popup you linked previously.

The DNS cache may be getting flushed upon connect, but if your computer is still, for whatever reason, sending DNS requests to China Unicom's servers through the VPN, this could explain why you're still seeing the ads.

Try manually changing your DNS servers for your network device, not just your VPN client, to something like 8.8.8.8 and 8.8.4.4. This would conclusively eliminate the possibility that it's a DNS issue, which is what I suspect given your current explanation and some of the code in the popup you linked previously.

Does this mean that the VPN is not that secure without this adjustment? Or visible to others?

Does this mean that the VPN is not that secure without this adjustment? Or visible to others?

Indeed, if you're using an untrusted DNS server then even if you're going through a VPN you may end up sending your non-HTTPS traffic to an untrusted web server.

Indeed, if you're using an untrusted DNS server then even if you're going through a VPN you may end up sending your non-HTTPS traffic to an untrusted web server.

This is mostly correct; the untrusted DNS server would never be able to see the content transmitted over your VPN, only the domains you visit. In fact, this would apply not only to HTTP traffic, but to any protocol accessed via a domain rather than IP, including HTTPS. For instance, China Unicom wouldn't know your credit card number or what you ordered, but they could see you visited Amazon.com even if the entire communication was over HTTPS.

This is mostly correct; the untrusted DNS server would never be able to see the content transmitted over your VPN, only the domains you visit. In fact, this would apply not only to HTTP traffic, but to any protocol accessed via a domain rather than IP, including HTTPS. For instance, China Unicom wouldn't know your credit card number or what you ordered, but they could see you visited Amazon.com even if the entire communication was over HTTPS.

The point is that for unauthenticated protocols such as HTTP they can then use the untrusted DNS to perform a man-in-the-middle attack and see the entire contents of your transactions.

HTTPS would at least warn you if they tried it, of course many people ignore such warnings, in which case even HTTPS can be hijacked. There have also been cases where the CA issuing authority itself has been compromised and bogus certificates issued (e.g., gmail in Iran) in which case if your browser is not up-to-date then you won't even get a warning with HTTPS.

Haven't fiddled yet with suggestions above but may do so. Haven't seen a pop-up with or without VPN in about 4 days. This may be due to ISP taking a break from these Ad Attacks. I'm less inclined to believe that due to massive anger from the Chinese netizens, the government has shut this practice down....but I can still dream.

Thanks for comments provided so far.

@Moondog Thanks :)

@jiejie
I don't think we're quite that lucky. I've been trying to figure out some rhyme or reason as to how often the pop-ups occur. Unfortunately, they seem to be extremely random. They may appear a few times an hour or once every few days.

It's not a virus. It's a DNS JavaScript injection by the ISP. You can get rid of it on Firefox by installing the NoScript Ad-on. The ad-on will even allow you to permit the script or not permit.