According to a security report by information risk management firm, IOActive, major ISPs in the US have created a massive security hole which puts the entire internet at risk, all in the name of making money.

Earthlink, an internet service provider has, along with a British advertising company called Barefruit, been engaged in the practice of hijacking DNS error pages with ad-supported alternatives since August 2006, but failed to protect the redirected error pages from cross-site scripting attacks, which allow hackers to embed malicious data-stealing trojans on seemingly legitimate domains such as Paypal, eBay, Google or any number of trusted sites.

It works by intercepting the Domain Name System (DNS) which translates IP addresses to domain names, in order to force a redirect for any unresolved or mis-spelled domain, including non-existent sub-domains on popular sites, such as security.paypal.com.

Victims of an email phishing attack would be sent to the subverted domain, which is easily hacked via the holes left by the ISP, and could be made to mimic a trusted site, which, due to the matching domain would be much harder to identify as a phishing attack.

Since the report was made known to Earthlink, the hole has been patched, but this leaves internet users at the mercy of ISPs and advertising partners, making them vunerable to poor coding practices employed by Earthlink, Verizon, Comcast, Time Warner, and Qwest, who have all implemented DNS hijacking for the sake of ad revenue.

So how can you protect yourself from this ever-present danger? The old advice to check the destination URL of links in emails can no longer offer protection. The only thing you can do to be absolutely safe, is to never click links in emails, particularly from sensitive sites like Paypal. Instead, log in manually through your browser.

This isn’t the first time ISPs have been in hot water over advertising/security practices; UK ISPs have been attacked over controversial plans to partner with Phorm, a company which spies on browsing habits to deliver tailored advertising. This recent scandal involving ISPs in the states serves to further damage the relationship between consumers and internet providers.

See Also: Phorm is watching you - Who’s watching Phorm?, BT to customers - We are dropping Phorm, Anonymous turns its gaze to Virgin Media