AdThink Adware Collects Demographic and Other Sensitive Data that is linked to your Usernames and Email Addresses
Security researchers at Princeton’s Center for Information Technology Policy discovered that Adthink, on the web as audienceinsights.net, is capturing your user name by tricking your browser into auto filling your user name into hidden login forms. Websites deploying their technology allegedly are using that auto supplied information to track website visitors between various network partner websites in an effort to build a profiling database of the web visitors. What is concerning is that this data includes highly sensitive information such as the number of pages viewed on each affiliate website, the specific keyword searches performed, and even more of concern, socio-dmographic data such as age range, gender and sometimes even perceived sexual orientation. The partner websites capture the usernames and passwords, then hash those values and forward the resultant data to AdThing’s server form for data aggregation and analytics. If user names, emails or passwords are cross used across member websites, this can allow for tracking of the end user without their clear knowledge. AdThink claims that this data is anonymous and that they do not know who an individual is, however, reverse hashing using rainbow tables could easily allow a hacker that compromises AdThink’s data warehouse, to identify the end user by email account, which sometimes reveals an actual name of a real person. This information, if intercepted by a nation state or rogue hacker could be very effectively used in targeted phishing campaigns to induce email recipients to click messages that appear to relate to their past dealing with websites they visit.
Some of the data captured by AdThink scripts deployed across affiliate websites include the following:
- birth date
- BMI (body mass index)
- relationship states
- seek_for_gender (m, f, transman, transwoman, couple)
- location (postcode, town, state, country)
- loan (type, amount, duration, overindebted)
- insurance (car, motorbike, home, pet, health, life)
- card_risk (chargeback, fraud_attempt)
- has_car(make, model, type, registration, model year, fuel type)
- travel (from, to, departure, return)
Fortunately, there is something that you can do to protect yourself.
Windows 10 Users – How to disable AdThink’s information collection from your browser
If you are using Windows 10 based computer, you may modify your DNS hosts file to redirect any such transmissions of information from your browser from going to the AdThink network servers by inserting hosts file entries pointing the traffic to resolve locally to 127.0.0.1. This basically creates a sink hole for any traffic that would point to AdThink.
To do this, you need to first launch a DOS command prompt running as Administrator. Press CONTROL – ESCAPE, then type CMD, when the Command Prompt icon appears, mouse over the icon and press your right mouse botton to obtain the Run As Administrator option then select that option with your left mouse button, click the ok to run dialogue that appears, now you should have your DOS Command Prompt with full adminitrative access.
Note, if your system administrator disabled your administrative rights, you will need their help to accomplish this task.
From the Command Prompt running as administrator, type the following:
“cd C:\Windows\system32\drivers\etc\” Drop the quotes!
“notepad hosts” This will open your hosts file with the notepad application running with the required privilege level necessary to edit and save this file.
Insert the following text into the hosts file as shown above. Be careful not to modify other entries your adminsitrator may have added or you may experience other problems.
*** Begin copy below this line
# Added hosts entries to block AdThink scripts from collecting data per leeneubecker.com 1/3/2018
*** Stop copy above this line
Now save the file and close.
This should effectively direct all traffic to static.audienceinsights.net and api.behavioralengine.com to your local computer, thereby protecting you from having this information shared with AdThink.
Mac OS Users – How to disable AdThink’s information collection from your browser
If you are using a Mac, the process is similar except you need to do the following:
- Open Terminal via the Spotlight, or by navigating into Applications > Utilities > Terminal
- Next, open the hosts file for editing as administrator by typing the following
sudo nano /private/etc/hosts
- Enter your Mac user’s password to authorize running this as administrator (if you are not an administrator on the machine, you will need someone who is to assist)
- Add the following two lines to the bottom of the hosts file. (Note there must be a space between the IP address and the domain name)
- Save your changes in Nano (The Mac Terminal Text Editor Command Line Tool) by pressing control-o and then Return to accept the same filename, then exit the editor by pressing control-x.
- You may need to reboot or atleast flush your local DNS cache so that the changes take effect. You may flush the cache by typing the following into your terminal command window that should still be open.
sudo dscacheutil -flushcache
That should complete the process on the Mac. Close your terminal window and resume safe browsing.
Other useful hosts file entries to protect your computer can be obtained from the following links on the web:
https://www.safer-networking.org/ – They have a free program that will modify your hosts file and append a rather long list of domain names they have associated with spyware or malware to your hosts file.
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts – Aggregator of domain names to block compiled by security minded folks. (Use these at your own risk.)
Here is a repository that compiles many block lists. Note, using 0.0.0.0 designates an invalid IP as opposed to 127.0.0.1 which directs traffic locally. Using 0.0.0.0 instead of 127.0.0.1 is probably the better way to ensure traffic to specific domains you want to block never sees the light of day.
Steve Gibson has a weekly podcast that details the AdThink issue and can be listened to while you commute if you are so inclined. https://twit.tv/shows/security-now/episodes/644?autostart=false
Example of Devious manipulation of a hosts file
Note, if you want to annoy a facebook addicted coworker and have administrative rights on their computer, you could insert the following hard coded mapping of facebook.com to a monster.com IP or even a webserver IP you setup and control, that will cause all traffic to facebook.com to be redirected to that IP. Disclaimer: Only due this if you have the legal right to do this! I added this to help readers of my blog understand how hosts files work. They essentially over ride the DNS server mapping an end user may receive from their router when trying to visit a website. The following entry if added to a hosts file will cause the computer’s browser to visit the following monster.com IP webpage instead of facebook.com, effectively blocking all browser traffic to facebook.com and diverting the traffic to an alternate IP address not associated with facebook.com.
Enjoy your surfing and pass this blog post on to your network administrator!