Just recently, Andrey Meshkov from AdGuard on article “Big Star Labs” spyware campaign affects over 11,000,000 people demonstrated how malicious user extensions can and in fact, do gain access to personal browsing history of unsuspecting users, potentially leaking this information to third parties.

Thanks to accidental discovery I made today, it seems that might very well be true.

TLDR;

Big Star Labs LP, the company behind countless spyware applications gathering user browsing history data is sharing at least part of it it with at least one outside player — Amobee, Inc., with brand Kontera in their portfolio.

Background

This Saturday I finally gathered some time to roll out a new, shiny build server for my personal open source projects. I decided to test the installation with a private GitHub repo, just to see how’s and what’s behind the CI app I decided to use, and to do so, I decided to initially forego my usual security measures, namely, putting a firewall in front of the CI server. This off by chance decision was imperative to what I discovered next.

What’s in the log

Come Sunday morning, satisfied with my CI setup, I decided to check the access log, as the HTTP server was still open at that point, to make sure nothing odd has happened since I started the service.

This is the excerpt log line that caught my attention:

54.209.60.63 - - [18/Aug/2018:17:52:25 +0200] "GET /Addvilz/drone-docker-demo HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"

A completely regular request, you might think at first. Couple of problems, however:

That is not my IP address. That’s Amazon S3 network block. That GET request goes against URL address that is only accessible to authenticated users. And there is only one person who has the credentials — me. The URL in question is not listed outside of user area.

At this point, some things to be clarified— how did this visitor get the URL address, considering the chance of someone randomly guessing it is zero, and who are they, and why are they accessing this URL.

To answer the first question: quick NSLOOKUP later and we have answered the “who” part:

> nslookup 54.209.60.63 8.8.8.8

Server: 8.8.8.8

Address: 8.8.8.8#53



Non-authoritative answer:

63.60.209.54.in-addr.arpa name = nat.aws.kontera.com.

The IP address is from Amazon, but the reverse points to Kontera Technologies, Inc. — an acquisition of Amobee, Inc.

Now the tricky part — how could they possibly get their hands on this URL? So I set off to eliminate all the usual suspects (server compromised, my machine compromised, CI software compromised), all till I noticed something very odd while monitoring the logs and browsing the CI — more requests popping in!

This lead me to believe that it was either my machine, my browser itself, or one of the browser extensions I had installed has been compromised. I would assume anything between me and the server machine would be unlikely to blame, as the server is configured to use HTTPS by default and from before the CI was installed. Given the likelihood of having a malicious browser extension, I set out to disable all the extensions, re-enabling one by one till net-internals of Chrome started to show interesting things.

The missing link

81764 SOCKET https://api2.poperblocker.com/

82335 URL_REQUEST https://api2.poperblocker.com/view/update

82336 HTTP_STREAM_JOB_CONTROLLER https://api2.poperblocker.com/view/update

82337 HTTP_STREAM_JOB https://api2.poperblocker.com/

82343 DISK_CACHE_ENTRY

82344 URL_REQUEST https://api2.poperblocker.com/view/update

82345 HTTP_STREAM_JOB_CONTROLLER https://api2.poperblocker.com/view/update

82346 HTTP_STREAM_JOB https://api2.poperblocker.com/

82352 DISK_CACHE_ENTRY

82400 URL_REQUEST https://api2.poperblocker.com/view/update

82401 HTTP_STREAM_JOB_CONTROLLER https://api2.poperblocker.com/view/update

82402 HTTP_STREAM_JOB https://api2.poperblocker.com/

82403 DISK_CACHE_ENTRY

82463 QUIC_SESSION www.google.es

82600 URL_REQUEST https://api2.poperblocker.com/view/update

82601 HTTP_STREAM_JOB_CONTROLLER https://api2.poperblocker.com/view/update

82602 HTTP_STREAM_JOB https://api2.poperblocker.com/

82603 SSL_CONNECT_JOB ssl/api2.poperblocker.com:443

82604 TRANSPORT_CONNECT_JOB ssl/api2.poperblocker.com:443

82605 HOST_RESOLVER_IMPL_JOB api2.poperblocker.com

82606 SOCKET ssl/api2.poperblocker.com:443

Whenever I would pop a page open, Poper Blocker extension would encoded payloads to it’s own domain. Well, at least they are using HTTPs’…

All requests I logged are going to the same domain from the same extension, all within seconds to minutes before a new log line would appear on the CI server access logs to inform that the server has been hit yet again from a crawler that should not ever possibly be where it is.

At this point I went to google around about this and this is how I stumbled upon this excellent piece by Andrey Meshkov — “Big Star Labs” spyware campaign affects over 11,000,000 people. It also contains all the payloads and extra techy bits about how the extension spyware operates.

The honeypot

To prove undoubtedly what I suspected, and what Andrey Meshkov wrote about in his article — was indeed what was happening, I hatched a small test — fake private URL with injected A element that would trigger the poperblocker’s reporting script, in a fresh browser instance with no other extensions.

A little while later, et voila:

54.86.66.252 - - [19/Aug/2018:20:37:26 +0200] "GET /clearly-this-is-a-honeypot-for-big-star-labs/ HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"

The IP addresses I managed to collect during the duration of this ordeal all resolve to *.kontera.com:

54.209.60.63 nat.aws.kontera.com.

54.175.74.27 nat-service3.aws.kontera.com.

52.71.155.178 nat-service.aws.kontera.com.

54.86.66.252 nat-service4.aws.kontera.com.

184.72.115.35 nat-service1.aws.kontera.com.

A somewhat smoking gun

Domain name poperblocker.com is owned by Big Star Labs LP. At the time of this writing, this domain has a sub domain —webmail.poperblocker.com pointing to 31.168.232.169 — IP assigned to Bezeq International Ltd, a Isreal based telecommunications company. That is somewhat odd, considering Big Star Labs LP is Delaware registered entity.

What is odder still, Kontera Technologies, Inc, acquired by Amobee, Inc. was based in Israel.

Then there is this interesting article dated back in 2012 — (in Hebrew) https://www.haaretz.co.il/captain/software/1.1794725, confirming the extension Poper Blocker was indeed made by a Israeli developer.

From Poper Blockers own policy, quotting…

We may share your Non-Personal information with our parent company…

I will leave it up to you, dear reader, to speculate about probability of this all being just a coincidence.

The conclusion

Amobee, Inc. and Big Star Labs LP are definitely somehow affiliated. One might be using others services, Big Star Labs LP could be sharing data with Amobee — but most likely, Big Star Labs LP could be a subsidiary of Amobee. Given the delay in how quickly requests from the spyware extension published by Big Star Labs results in crawl request from Amobee, it would not be unreasonable to conclude both are very closely affiliated.

Whatever the relationship is, user data is clearly shared between the two, and in this case, the “why” does not even matter anymore.

Tech stuff

poperblocker.com dig’s

> dig @8.8.8.8 poperblocker.com any



; <<>> DiG 9.10.3-P4-Ubuntu <<>> @8.8.8.8 poperblocker.com any

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37971

;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 1



;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 512

;; QUESTION SECTION:

;poperblocker.com. IN ANY



;; ANSWER SECTION:

poperblocker.com. 59 IN A 52.87.93.204

poperblocker.com. 59 IN A 34.204.22.236

poperblocker.com. 21599 IN NS ns-1413.awsdns-48.org.

poperblocker.com. 21599 IN NS ns-1645.awsdns-13.co.uk.

poperblocker.com. 21599 IN NS ns-726.awsdns-26.net.

poperblocker.com. 21599 IN NS ns-93.awsdns-11.com.

poperblocker.com. 899 IN SOA ns-93.awsdns-11.com. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

poperblocker.com. 3599 IN MX 10 webmail.poperblocker.com.

poperblocker.com. 299 IN TXT "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDtnCfO3ESvRhMohdNr5Pjz9SOIT9UyXUdMGxJftJn0c83wIdHq0j53Ma8UC+tKUrlqxt5dwwKBqKmFCsu5+aO47O225o4vBR9ujfrNQbuxvOCyQXiOs5xxzGmeS3JIwQ0OCyzXczrrwiMrG24DLPEsbvU1OwdVHzhP1lGezU59UQIDAQAB"



;; Query time: 45 msec

;; SERVER: 8.8.8.8#53(8.8.8.8)

;; WHEN: Sun Aug 19 21:50:06 CEST 2018

;; MSG SIZE rcvd: 529



> dig @8.8.8.8 webmail.poperblocker.com any



; <<>> DiG 9.10.3-P4-Ubuntu <<>> @8.8.8.8 webmail.poperblocker.com any

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35125

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1



;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 512

;; QUESTION SECTION:

;webmail.poperblocker.com. IN ANY



;; ANSWER SECTION:

webmail.poperblocker.com. 299 IN A 31.168.232.169



;; Query time: 47 msec

;; SERVER: 8.8.8.8#53(8.8.8.8)

;; WHEN: Sun Aug 19 21:50:27 CEST 2018

;; MSG SIZE rcvd: 69



> whois -G 31.168.232.169 | grep 'org-name'

org-name: Bezeq International-Ltd

Crawler reverse lookups

nslookup 54.209.60.63 8.8.8.8

nslookup 54.175.74.27 8.8.8.8

nslookup 52.71.155.178 8.8.8.8

nslookup 54.86.66.252 8.8.8.8

nslookup 184.72.115.35 8.8.8.8



63.60.209.54.in-addr.arpa name = nat.aws.kontera.com.

27.74.175.54.in-addr.arpa name = nat-service3.aws.kontera.com.

178.155.71.52.in-addr.arpa name = nat-service.aws.kontera.com.

252.66.86.54.in-addr.arpa name = nat-service4.aws.kontera.com.

35.115.72.184.in-addr.arpa name = nat-service1.aws.kontera.com.

Access log