ATI is run by the Tunisian Ministry of Communications. They supply all of the privately held Tunisian ISPs, making them the main source of Internet access in the country. They’ve been under scrutiny for years, due to the fact that they make use of their authority to regulate the entire national network. Last April, ATI earned international attention by blocking access to sites such as Flickr, YouTube, and Vimeo.
According to Reporters Without Borders, authorities claim to target only pornographic or terrorist websites. “However, censorship applies above all to political opposition, independent news, and human rights websites.”
“When an Internet user attempts to access a prohibited website, the following automatic error message appears: “Error 404: page not found,” without displaying the familiar “Error 403” more typical of a blocked site…This strategy equates to a disguised form of censorship.”
Four different experts consulted by The Tech Herald independently confirmed our thoughts; the embedded code is siphoning off login credentials.
On Twitter, security researcher Gerry Kavanagh and Errata Security CTO David Maynor told us that you can tell the code is capturing login information by how it references the login element for the form.
“Suffice to say, the code is definitely doing something surreptitious,” Kavanagh noted.
The newly encrypted data is placed into the URL, and a randomly generated five character key is added. The randomly generated key is meaningless, but it is assumed that it’s there to add a false sense of legitimacy to the URL.
The random characters and encrypted user information are delivered in the form of a GET request to a non working URL. In the Gmail example, you see this URL listed as http://www.google.com/wo0dh3ad. Abraham noted that the encryption makes it easy to capture usernames and passwords that would include special characters such as ‘%’ or ‘/’.
Considering that the backbone of the Tunisian Internet is full of state run filters and firewalls designed to block access, configuring one to log the GET commands with the harvested data would be trivial. But is this a government sponsored action?
The likelihood that a group of criminals compromised the entire Tunisian infrastructure is virtually nonexistent. Code planting on this scale could only originate form an ISP. With their history of holding an iron grip on the Internet, ATI is the logical source of the information harvesting.
Another interesting note is that it appears the embedded code has targeted Tunisian users for several months. Slim Amamou, of the Global Voices Advocacy blog, reported his findings on the code last July, and at the time, ATI was blocking Google’s HTTPS port, forcing users to default to HTTP.
The ATI website has been offline for more than a day. The outage started after Anonymous launched Operation: Tunisia. Our coverage on their actions and the problems in Tunisia is here.