BSNL Broadband: Ad Injection, Random Redirection to Malware Websites

pothi

Member
Regulars
#1
I started seeing browser pop-ups that in turn redirects to speed [dash] open two [dot] com (please NEVER visit it), that in turns redirects to malicious sites. Here's my observation on this pop-up...
  • It happens only on BSNL broadband network (that's why I posted it here to see if there is anyone else with the similar experience)
  • It happens only on non-secure sites such as speedtest.net (a popular site for testing speed of the connection), webpagetest.org (a popular site to test the speed of a website), etc. Of course, I started using the speedtest.net app (for mac) and started using the secure version of webpagetest.org.
  • I am on a mac with all the latest updates applied. I don't use any illegal / pirated / malicious software. I don't visit malicious sites (intentionally), either. I tried a couple of anti-virus / anti-malware softwares (EtreCheck and Bitdefender). My mac is clean as per those softwares (both are trusted softwares and free too).
  • I used to use a Belkin modem (bought about 8 years ago) until last week.
  • My first impression was that my Belkin modem may have been affected by a malware. So, I bought a new modem (Netgear) that seems to offer better security updates than some popular Chinese brands.
  • On both Belkin and Netgear modems, I changed the default passwords. Netgear is yet to be updated with the latest firmware, though. It will be done later this week.
  • I tried changing the DNS provider to Google, Quad9, Cloudflare, and my own DNS (using pi-hole.net). It didn't help.
  • It happens in both Firefox and Google Chrome browsers (both are regularly updated to the latest version). In both browsers, cookies and other data do not persist for sites except for a limited set of white-listed sites (related to my business).
Just checked with another friend who uses BSNL network (with BSNL provided modem). He experienced the same issue long ago, but it was rectified when the router was reset to factory settings and the default password was changed.

Has anyone else experienced similar issue on BSNL broadband network?

Update on August 1, 2018:
PSA:

As a temporary workaround for those still face this issue (on a PC), please insert the following lines in your computer's hosts file...

0.0.0.0 cobalten.com
0.0.0.0 speed-open2.com

Here's the partial list of domains where we get redirects....

1bcde
cobalten
newsprofin
speed-open2
lp.easyziptab
decademical

For mobile devices, since, editing hosts file isn't practical and impossible in certain cases, I use my own DNS (using pi-hole.net) where I blocklisted the above domains). Anyone in the BSNL network can use it for their DNS queries to safeguard themself from clicking these malicious domains by mistake. The IP of my pi-hole DNS server is 45.76.184.155. One caveat with this IP is that it also blocks most advertisements (that's the primary reason I started using pi-hole.net initially). It is made to work only on BSNL (using firewall rules) for now. If it doesn't work for you for some reason, please publish your BSNL IP here, I will unblock the whole range of BSNL IPs. Unfortunately, I can't allow non-BSNL users to use it, since it takes time, effort and money to run a DNS server. Currently, IPs starting with 59 and 117 are allowed for DNS queries!

Update on Oct 5, 2018: I no longer actively use BSNL broadband and use it only when I visit home (occasionally such as on weekends). My business required me to switch to another city and now I have Airtel broadband (among others). Thanks.
 
Last edited:
#2
I am also facing the same issue. I ran all type of anti viruses to check the viruses in my system. As you said it is only for unsecure sites.
The redirects are for 3 sites:
1) colbaten.com
2) speed-open2.com
and 1 more which I cannot remember.
3) deloton

Location- Lucknow
EDIT:added 3rd redirect site.
 
Likes: pothi

pothi

Member
Regulars
#3
Thanks for your insights.

My location: Srivilliputhur, TamilNadu.

Just updated my original post with the browser details.
 


pothi

Member
Regulars
#5
That's sad to hear. Let me make a visit to the local BSNL exchange. JTO is a good person here, but it's time consuming to catch him in his seat. Can't blame him as there isn't much work here.
 

pothi

Member
Regulars
#6
There used to be a redirect to mail.bsnl.in at random, when I visit an insecure site. However, that has been replaced with malicious sites now. Considering, how careless BSNL could be, the pop-up malware could be an issue in their end.
 


pothi

Member
Regulars
#8
Wow! Things are uglier than expected. Haven't seen this issue on Airtel Broadband or in JIO 4G. Both have their own issues, though. But, none of them are related to the security / malware.
 
#9
I am using BSNL 3G as Hotspot . From last month I am experiencing redirect on clicking anywhere on HTTP websites....getting redirect to"cobalten.com/afu.php?zoneid=1365143&var=1492756"
and these kind of scripts are running while I experience such redirects...
<script src='//117.240.205.115:3000/getjs?XXXXXXX........."></script>

<script src="//go.oclasrv.com/apu.php?zoneid=1492761" type="text/javascript"></script>
Any solution???
 
Last edited by a moderator:

pothi

Member
Regulars
#10
Short answer: No solution.

Long answer: You may use VPN to secure the connection. But, free VPNs offer limited bandwidth. Proton VPN offers unlimited bandwidth, but their speed may be slow. But, not slow enough if you browse in 3G speeds.