Greedy ISPs in the U.S. and other parts of the world are cashing in on their customers' mistyped web addresses, exposing them to security risks. IOActive security researcher Dan Kaminsky has warned several large ISPs that their practice of redirecting users to ad pages when they try to access pages that don't exist has created massive security holes.

"The ISPs will say they're doing wonderful favors for users who might have to otherwise go back and type in the real name of the site they're seeking. But the reality is that anytime ISPs add yet another level of complexity to their networks, they necessarily introduce more security bugs," said John R. Levine, author of Internet for Dummies, to The Washington Post.

These Internet Service Providers are subverting the Domain Name System or DNS, which translates website names into numeric addresses, when users type a wrong web address. Instead of getting an error page, they are bounced to an ads page served up by a British company called Barefruit, which pretends to actually to be the non-existent domain when delivering the ads.

This means that, taking into account Barefruit's failure to screen for rogue JavaScript code, hackers were able to create fraud sites which appeared to be and looked exactly like eBay, for example. Earthlink, Qwest and Verizon have outsourced at least portions of their ad-serving technology to BareFruit, thus exposing their customers to massive security risks.

"This kind of practice means the security of the Web is being limited to the security of this ad server," Kaminsky told Security Fix on Friday. "My work is to secure the Web and other computer infrastructure, but this becomes near impossible when other people are injecting content into domains that I am professionally trying to secure," he said.

The British ad company has fixed their security holes after being noticed by IOActive security staff.