
Weather.com Has Become the Pawn of a Data Theft Scheme - eaguyhn
https://hackernoon.com/weathercom-has-become-the-pawn-of-a-huge-data-theft-scheme-oy5p36b9
======
jrd259
The article has no citations to back it the claims. It states "researchers
also believe that this malware is being used by an organized crime ring either
to prepare for an enormous future attack on targeted users, or to sell
collected information on the dark web" with no attribution. Nor is it obvious
how battery condition or orientation would be any use to attackers or
purchasers.

~~~
floatingatoll
Seems like it could be reproduced easily by a typical HN reader. “Fetch a site
a thousand times and check the served JavaScript for weirdness” isn’t exactly
a high bar. Defining weirdness is the secret sauce for sure, though!

Battery condition and orientation are useful for fingerprinting devices,
alongside the more commonly-known canvas attacks.

 _Your battery status may be used to track you online_ , 98 comments (2016)
[https://news.ycombinator.com/item?id=12208880](https://news.ycombinator.com/item?id=12208880)

~~~
jlv2
Your battery status and orientation aren't going to be useful for tracking you
in a "future attack on targeted users", since by then both would have
completely changed.

~~~
floatingatoll
If the purpose is to identify you as a visitor to the site, then once they
have identified you, that goal has been met.

You're assuming that they must, in the future, _again_ identify you: that is
not at all necessary for e.g. spear phishing, blackmail, or other attacks.

------
swiley
There’s the actual NOAA page for your area which is lightweight and
_increadibly_ information dense, IMO it’s what other weather websites can
measure themselves against it’s pretty awesome!

Also: curl wttr.in (I guess hackernews night nock that over heh, it seems like
it’s been struggling lately.)

~~~
hadlock
Wunderground (weather underground) used to be an amazing resource before the
"Web 2.0" redesign. You could still access it as "classic.wunderground.com"
for many years right up until IBM bought them and they finally turned it off
in ~2016. There are still screenshots of it floating around. It looks like
crap, very 1999 web design but it was organically built and curated for ~15
years and quite functional compared to what they have now. Also significantly
faster IIRC.

Commercial online weather sites have really gone downhill since wunderground
classic. I have yet to see a comparable info-dense site since.

~~~
WarOnPrivacy
Spaghettimodels is my goto.
[https://www.spaghettimodels.com/](https://www.spaghettimodels.com/)

Or at least the page for my market is.
[https://www.spaghettimodels.com/cities/orlando.htm](https://www.spaghettimodels.com/cities/orlando.htm)

------
nwsm
Summary:

weather.com uses an ad provider who gives them a malicious ad .1% of the time.

~~~
vorpalhex
When you customer base is 100m+, that's potentially affecting a lot of people.
It's very likely most of their users are not very technically literate, so
these kinds of attacks are very performant.

"Only 0.1% of our profit comes from pureeing children into profit!" isn't a
defense.

~~~
TheRealPomax
Certainly, but that comment basically contains all the information I needed to
move on to the next article in the HN firehose.

------
julienchastang
A meteorologist colleague informed me of
[https://www.yr.no/](https://www.yr.no/) and it has a version in English. It
is what I usually use along with weather.gov. Their short and long-term World-
Wide ECMWF forecasts are really nice as are the meteorograms. Yeah dump
weather.com.

Edit: Ohh and one more: Jeff Masters and his crew at Weather Underground
(wunderground.com). For example another nice meteorogram:
[https://www.wunderground.com/forecast/us/co/boulder/KCOBOULD...](https://www.wunderground.com/forecast/us/co/boulder/KCOBOULD425)

~~~
jlv2
Jeff Masters left wunderground last year.
[https://www.wunderground.com/cat6/Jeff-Masters-Leaving-
Weath...](https://www.wunderground.com/cat6/Jeff-Masters-Leaving-Weather-
Underground-November)

~~~
julienchastang
I did not know that about Jeff. I don't have the reference on my fingertips,
but it is an interesting read about how Jeff and co-founders started
wunderground.com. These guys were early internet pioneers and played a role in
the web as we know it today.

------
jlv2
This page quotes this from "Binary Defense":

 _" if a user stumbles upon a webpage that has a compromised third-party
library, the malware runs checks. These checks consist of who the user agent
is, the type of device they are operating on, the level of battery it has, and
the device’s motion and orientation. After these checks are verified, the
malware will connect the infected device to a remoter peer prior to
transferring the device’s IP address"_

This statement is written to make it seem like like something bad is
happening. But read the statement -- it's total BS.

~~~
bestnameever
yeah reading that felt weird. Honestly, I'm surprised this got so much
attention on here.

------
alias_neo
> scanning the session for malware using Wireshark’s advanced malware analysis

Is this some feature of Wireshark I've never come across, or does the author
not know what they're talking about?

~~~
netsharc
I wondered the same, I made a mental note to check out this supposed feature.
But now that you've asked this question and since the author was just peddling
unsubstantiated hyperbolic horseshit in the 2nd half of the article, I'm
guessing there's no such Wireshark feature.

~~~
alias_neo
I can save you the trouble. There is no such feature. Using Wireshark FOR
advanced malware analysis is a thing, but it has no special feature built in
with that name.

It's almost like the author was given some short hand notes and wrote them up
wrong.

We use Wireshark day in, day out at my work place and many of us picked up on
that statement.

------
oefrha
3 out of 3267 isn’t really a big enough sample to determine the rate of
occurrence.

Also, practical advice: use an ad/content blocker.

------
LinuxBender
AFAIK most sites and news agencies in the U.S. get their data from weather.gov
[1] I have never seen any shenanigans on that site.

[1] - [https://www.weather.gov/](https://www.weather.gov/)

------
jackallis
weather.gov - use it.

~~~
parasanti
I am still amazed weather.com exist. Go to weather.gov and get everything you
need without all the ads, tracking and bs of that other site.

~~~
jasonjayr
The folks behind weather.com are actively trying to kill weather.gov through
lobbying and other campaigns. Folks need to be made aware that their tax
dollars are already being spent on top-notch science tools by folks with a
vested interested in their safety.

~~~
MrMetlHed
They almost got their dream leader of NOAA when Trump appointed the head of
AccuWeather, Barry Meyers, to lead NOAA. He withdrew his nomination for health
reasons, but believes the government shouldn't provide any type of direct
forecasts to the public. Michael Lewis has a good write up of this in his book
The Fifth Risk.

------
ratsbane
Nothing in this article explained how this advertising could actually be
dangerous. It "collects the IP address and user agent string." Is there
something serious or not?

~~~
ssawyer06
It seems the author is assuming we normally trust legitimate ad networks with
this data, but in this case a scary third party is getting the data.

------
JohnFen
weather.com was already collecting and marketing an obscene amount of user
data as anyway. That's what drove me to stop using it a while back.
Wunderground is in the same group.

This is US-specific, but what I use now is the National Weather Service's
website. It's actually really excellent.
[https://www.weather.gov/](https://www.weather.gov/)

------
jancsika
> Last year, a single malvertising campaign reached 100 million users, and
> there’s no reason attackers would pay for all that exposure unless some fish
> were biting.

But there is.

For example, an entity could have sold the malware to a rube. They would do
this by using the same "bullet proof" logic: why would they be selling a tool
that can hit 100 million users unless some fish will bite?

------
evancox100
I don't understand, thats just a notice dialog box, right? Presumably clicking
Ok just dismisses it, right?

~~~
scaglio
From what I understood from the reading, this could be an example of XSS
(cross-site scripting): we "trust" a site, but there are other connections
towards other ones, potentially malicious. So, weather(dot)com could have been
compromised and should need to run some checks.

------
mistrial9
shout out to TropicalTidbits

~~~
julienchastang
Great site, but more for severe storm and weather enthusiasts.

------
friendly_fren
Weather.com steals forecasting data from NOAA

~~~
xxpor
It's public domain information, there's no theft.

~~~
throwaway55554
Thankfully Accuweather's plans failed.

------
fred_is_fred
I trust darkweb organized crime more with my IP address, user agent, and
battery info that I do Facebook or Google.

~~~
mellavora
yes, but what about phone orientation!

~~~
mellavora
ok, actually that info is also damaging in the wrong (i.e. Google/Facebooks)
hands. ;)

------
fatnoah
I've been boycotting The Weather Channel since they started naming storms.

