Quite recently Andrey Meshkov from AdGuard on article “Big Star Labs” spyware campaign affects over 11,000,000 people demonstrated how malicious user extensions can and in fact, do gain access to personal browsing history of unsuspecting users, potentially leaking this information to third parties.
Thanks to an accidental discovery I made today, it seems that might very well be true.
TLDR;
Big Star Labs LP, the company behind countless spyware applications gathering user browsing history data is sharing at least part of it with at least one 3rd party — Amobee, Inc., with brand Kontera in their portfolio.
Background
This Saturday I finally gathered some time to roll out a new, shiny build server for my personal open-source projects. I decided to test the installation with a private GitHub repo, just to see how’s and what’s behind the CI app I decided to use, and to do so, I decided to initially forego my usual security measures, namely, putting a firewall in front of the CI server.
What’s in the log
Come Sunday morning, and I was checking the access log for webhook requests.
This is a excerpt log line that caught my attention:
54.209.60.63 - - [18/Aug/2018:17:52:25 +0200] "GET /Addvilz/drone-docker-demo HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
A completely regular request, you might think at first. A couple of problems, however:
- That is not my IP address. That’s Amazon S3 network block.
- That GET request goes against URL address that is only accessible to authenticated users. And there is only one person who has the credentials — me.
- The URL in question is not listed outside of the user area.
At this point, some things to be clarified— how did this visitor get the URL address, considering the chance of someone randomly guessing it is zero, and who are they, and why are they accessing this URL.
To answer the first question: quick NSLOOKUP later and we have answered the “who” part:
> nslookup 54.209.60.63 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
63.60.209.54.in-addr.arpa name = nat.aws.kontera.com.
The IP address is from Amazon, but the reverse points to Kontera Technologies, Inc. - an acquisition of Amobee, Inc.
Now the tricky part — how could they possibly get their hands on this URL? So I set off to eliminate all the usual suspects (server compromised, my machine compromised, CI software compromised), all till I noticed something very odd while monitoring the logs and browsing the CI — more requests popping in!
This leads me to believe that it was either my machine, my browser itself, or one of the browser extensions I had installed has been compromised. I would assume anything between me and the server machine would be unlikely to blame, as the server is configured to use HTTPS by default and from before the CI was installed. Given the likelihood of having a malicious browser extension, I set out to disable all the extensions, re-enabling one by one till net-internals of Chrome started to show interesting things.
The missing link
81764 SOCKET https://api2.poperblocker.com/
82335 URL_REQUEST https://api2.poperblocker.com/view/update
82336 HTTP_STREAM_JOB_CONTROLLER https://api2.poperblocker.com/view/update
82337 HTTP_STREAM_JOB https://api2.poperblocker.com/
82343 DISK_CACHE_ENTRY
82344 URL_REQUEST https://api2.poperblocker.com/view/update
82345 HTTP_STREAM_JOB_CONTROLLER https://api2.poperblocker.com/view/update
82346 HTTP_STREAM_JOB https://api2.poperblocker.com/
82352 DISK_CACHE_ENTRY
82400 URL_REQUEST https://api2.poperblocker.com/view/update
82401 HTTP_STREAM_JOB_CONTROLLER https://api2.poperblocker.com/view/update
82402 HTTP_STREAM_JOB https://api2.poperblocker.com/
82403 DISK_CACHE_ENTRY
82463 QUIC_SESSION www.google.es
82600 URL_REQUEST https://api2.poperblocker.com/view/update
82601 HTTP_STREAM_JOB_CONTROLLER https://api2.poperblocker.com/view/update
82602 HTTP_STREAM_JOB https://api2.poperblocker.com/
82603 SSL_CONNECT_JOB ssl/api2.poperblocker.com:443
82604 TRANSPORT_CONNECT_JOB ssl/api2.poperblocker.com:443
82605 HOST_RESOLVER_IMPL_JOB api2.poperblocker.com
82606 SOCKET ssl/api2.poperblocker.com:443
Whenever I would pop a page open, Poper Blocker extension would encoded payloads to its own domain. Well, at least they are using HTTPs’…
All requests I logged are going to the same domain from the same extension, all within seconds to minutes before a new log line would appear on the CI server access logs to inform that the server has been hit yet again from a crawler that should not ever possibly be where it is.
At this point, I went to google around about this and this is how I stumbled upon this excellent piece by Andrey Meshkov — “Big Star Labs” spyware campaign affects over 11,000,000 people. It also contains all the payloads and extra techy bits about how the extension spyware operates.
The honeypot
To prove undoubtedly what I suspected, and what Andrey Meshkov wrote about in his article — was indeed what was happening, I hatched a small test — fake private URL with injected A element that would trigger the poperblocker’s reporting script, in a fresh browser instance with no other extensions.
A little while later, et voila:
54.86.66.252 - - [19/Aug/2018:20:37:26 +0200] "GET /clearly-this-is-a-honeypot-for-big-star-labs/ HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
The IP addresses I managed to collect during the duration of this ordeal all resolve to *.kontera.com:
54.209.60.63 nat.aws.kontera.com.
54.175.74.27 nat-service3.aws.kontera.com.
52.71.155.178 nat-service.aws.kontera.com.
54.86.66.252 nat-service4.aws.kontera.com.
184.72.115.35 nat-service1.aws.kontera.com.
A somewhat smoking gun
Domain name poperblocker.com is owned by Big Star Labs LP. At the time of this writing, this domain has a subdomain —webmail.poperblocker.com pointing to 31.168.232.169 — IP assigned to Bezeq International Ltd, an Isreal based telecommunications company. That is somewhat odd, considering Big Star Labs LP is Delaware registered entity.
What is more interesting still, Kontera Technologies, Inc, acquired by Amobee, Inc. was based in Israel.
Then there is this interesting article dated back in 2012 — (in Hebrew) https://www.haaretz.co.il/captain/software/1.1794725, confirming the extension Poper Blocker was indeed made by an Israeli developer.
From Poper Blockers own policy, citing…
We may share your Non-Personal information with our parent company…
Probably not a coincidence.
The conclusion
Amobee, Inc. and Big Star Labs LP are definitely somehow affiliated. One might be using services of the another, Big Star Labs LP could be sharing data with Amobee — but most likely, Big Star Labs LP could be a subsidiary of Amobee. Given the delay in how quickly requests from the spyware extension published by Big Star Labs results in crawl request from Amobee, it would not be unreasonable to conclude both are very closely affiliated.
Whatever the relationship is, user data is clearly shared between the two, and in this case, the “why” does not even matter anymore.
Tech stuff
poperblocker.com dig’s
> dig @8.8.8.8 poperblocker.com any
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @8.8.8.8 poperblocker.com any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37971
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
> dig @8.8.8.8 poperblocker.com any
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @8.8.8.8 poperblocker.com any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37971
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;poperblocker.com. IN ANY
;; ANSWER SECTION:
poperblocker.com. 59 IN A 52.87.93.204
poperblocker.com. 59 IN A 34.204.22.236
poperblocker.com. 21599 IN NS ns-1413.awsdns-48.org.
poperblocker.com. 21599 IN NS ns-1645.awsdns-13.co.uk.
poperblocker.com. 21599 IN NS ns-726.awsdns-26.net.
poperblocker.com. 21599 IN NS ns-93.awsdns-11.com.
poperblocker.com. 899 IN SOA ns-93.awsdns-11.com. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
poperblocker.com. 3599 IN MX 10 webmail.poperblocker.com.
poperblocker.com. 299 IN TXT "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDtnCfO3ESvRhMohdNr5Pjz9SOIT9UyXUdMGxJftJn0c83wIdHq0j53Ma8UC+tKUrlqxt5dwwKBqKmFCsu5+aO47O225o4vBR9ujfrNQbuxvOCyQXiOs5xxzGmeS3JIwQ0OCyzXczrrwiMrG24DLPEsbvU1OwdVHzhP1lGezU59UQIDAQAB"
;; Query time: 45 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Aug 19 21:50:06 CEST 2018
;; MSG SIZE rcvd: 529
> dig @8.8.8.8 webmail.poperblocker.com any
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @8.8.8.8 webmail.poperblocker.com any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35125
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;webmail.poperblocker.com. IN ANY
;; ANSWER SECTION:
webmail.poperblocker.com. 299 IN A 31.168.232.169
;; Query time: 47 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Aug 19 21:50:27 CEST 2018
;; MSG SIZE rcvd: 69
> whois -G 31.168.232.169 | grep 'org-name'
org-name: Bezeq International-Ltd
Crawler reverse lookups
nslookup 54.209.60.63 8.8.8.8
nslookup 54.175.74.27 8.8.8.8
nslookup 52.71.155.178 8.8.8.8
nslookup 54.86.66.252 8.8.8.8
nslookup 184.72.115.35 8.8.8.8
63.60.209.54.in-addr.arpa name = nat.aws.kontera.com.
27.74.175.54.in-addr.arpa name = nat-service3.aws.kontera.com.
178.155.71.52.in-addr.arpa name = nat-service.aws.kontera.com.
252.66.86.54.in-addr.arpa name = nat-service4.aws.kontera.com.
35.115.72.184.in-addr.arpa name = nat-service1.aws.kontera.com.
Access log
54.209.60.63 - - [18/Aug/2018:16:02:50 +0200] "GET /robots.txt HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.209.60.63 - - [18/Aug/2018:16:02:50 +0200] "GET /account/repos HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.209.60.63 - - [18/Aug/2018:17:52:25 +0200] "GET /Addvilz/drone-docker-demo HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.175.74.27 - - [18/Aug/2018:17:52:25 +0200] "GET /Addvilz/drone-docker-demo/1 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.175.74.27 - - [18/Aug/2018:17:52:25 +0200] "GET /Addvilz/drone-docker-demo/1/3 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.175.74.27 - - [18/Aug/2018:17:52:25 +0200] "GET /Addvilz/drone-docker-demo/settings/registry HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.175.74.27 - - [18/Aug/2018:17:52:27 +0200] "GET /Addvilz/drone-docker-demo/settings/secrets HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
52.71.155.178 - - [18/Aug/2018:17:52:32 +0200] "GET /Addvilz/drone-docker-demo/1/2 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.175.74.27 - - [18/Aug/2018:17:52:33 +0200] "GET /Addvilz/drone-docker-demo/settings HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.175.74.27 - - [18/Aug/2018:18:01:30 +0200] "GET /Addvilz/drone-docker-demo/2 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
52.71.155.178 - - [18/Aug/2018:18:01:30 +0200] "GET /Addvilz/drone-docker-demo/2/3 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.209.60.63 - - [18/Aug/2018:18:01:34 +0200] "GET /Addvilz/drone-docker-demo/3 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.175.74.27 - - [18/Aug/2018:18:01:34 +0200] "GET /Addvilz/drone-docker-demo/3/3 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.175.74.27 - - [18/Aug/2018:18:01:36 +0200] "GET /Addvilz/drone-docker-demo/4 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.175.74.27 - - [18/Aug/2018:18:01:36 +0200] "GET /Addvilz/drone-docker-demo/4/3 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.209.60.63 - - [18/Aug/2018:18:01:39 +0200] "GET /Addvilz/drone-docker-demo/5/3 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.209.60.63 - - [18/Aug/2018:18:01:40 +0200] "GET /Addvilz/drone-docker-demo/5 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.209.60.63 - - [18/Aug/2018:18:11:06 +0200] "GET /Addvilz/drone-docker-demo/5/2 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.175.74.27 - - [18/Aug/2018:18:11:12 +0200] "GET /Addvilz/drone-docker-demo/6/3 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.175.74.27 - - [18/Aug/2018:18:11:12 +0200] "GET /Addvilz/drone-docker-demo/6 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
52.71.155.178 - - [18/Aug/2018:18:22:10 +0200] "GET /Addvilz/drone-docker-demo/6/2 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.209.60.63 - - [18/Aug/2018:18:31:18 +0200] "GET /Addvilz/drone-docker-demo/7 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.175.74.27 - - [18/Aug/2018:18:31:18 +0200] "GET /Addvilz/drone-docker-demo/7/3 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.209.60.63 - - [18/Aug/2018:18:31:19 +0200] "GET /Addvilz/drone-docker-demo/8 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.86.66.252 - - [19/Aug/2018:13:02:13 +0200] "GET /Addvilz/drone-docker-demo/8/3 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
184.72.115.35 - - [19/Aug/2018:18:26:58 +0200] "GET /Addvilz/drone-docker-demo HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.209.60.63 - - [19/Aug/2018:18:36:52 +0200] "GET /robots.txt HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.86.66.252 - - [19/Aug/2018:19:06:20 +0200] "GET /Addvilz/drone-docker-demo/9 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
52.71.155.178 - - [19/Aug/2018:19:06:21 +0200] "GET /Addvilz/drone-docker-demo/9/3 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.86.66.252 - - [19/Aug/2018:19:16:21 +0200] "GET /Addvilz/drone-docker-demo/9/2 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
52.71.155.178 - - [19/Aug/2018:19:27:25 +0200] "GET /Addvilz/drone-docker-demo/10 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
52.71.155.178 - - [19/Aug/2018:19:37:03 +0200] "GET /Addvilz/drone-docker-demo/11 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.86.66.252 - - [19/Aug/2018:19:47:00 +0200] "GET /Addvilz/drone-docker-demo/11/ HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.175.74.27 - - [19/Aug/2018:19:57:18 +0200] "GET /Addvilz/drone-docker-demo/12 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.86.66.252 - - [19/Aug/2018:20:37:26 +0200] "GET /clearly-this-is-a-honeypot-for-big-star-labs/ HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"