- Jan 8, 2011
- 22,433
Read More >> TechNet: Malicious Proxy Auto-Config redirection
Internet banking credentials are a desired target for cybercriminals. They can be targeted with man-in-the-middle attacks or through password stealing trojans such as Fareit, Zbot or Banker. A less known, yet commonly found in South America and to a lesser extent in Russia, method to gain unauthorized access to a user’s banking credentials is through malicious Proxy Auto-Config (PAC) files. Normally, PAC files offer similar functionality to the hosts file, allowing IP/website redirection, but only for the browser. Unfortunately, they can also be used for nefarious purposes.
When a user is infected with a malicious PAC and visits an internet banking website, the browser is usually redirected to a fake website that mimics the intended banking website. This may result in credentials being stolen - or worse, online account hijacking.
The most common infection scenario is shown in figure 1 below:
One important user mitigation comes directly through the browser. What a user would experience when browsing the real website is shown below:
Figure 3: Web page without PAC redirection
Figure 4: Web page with malicious PAC redirection
You can see above that the original website has an authenticated certificate and appears in a green address bar. The original website is also using HTTPS (secure communication).
Read More >> TechNet: Malicious Proxy Auto-Config redirection
Internet banking credentials are a desired target for cybercriminals. They can be targeted with man-in-the-middle attacks or through password stealing trojans such as Fareit, Zbot or Banker. A less known, yet commonly found in South America and to a lesser extent in Russia, method to gain unauthorized access to a user’s banking credentials is through malicious Proxy Auto-Config (PAC) files. Normally, PAC files offer similar functionality to the hosts file, allowing IP/website redirection, but only for the browser. Unfortunately, they can also be used for nefarious purposes.
When a user is infected with a malicious PAC and visits an internet banking website, the browser is usually redirected to a fake website that mimics the intended banking website. This may result in credentials being stolen - or worse, online account hijacking.
The most common infection scenario is shown in figure 1 below:
One important user mitigation comes directly through the browser. What a user would experience when browsing the real website is shown below:
Figure 3: Web page without PAC redirection
Figure 4: Web page with malicious PAC redirection
You can see above that the original website has an authenticated certificate and appears in a green address bar. The original website is also using HTTPS (secure communication).
Read More >> TechNet: Malicious Proxy Auto-Config redirection
Last edited: