Slashdot Mirror

← Back to Stories (view on slashdot.org)

Webmail and Online Banks Targeted By Phishing Proxies

Posted by timothy on from the my-credit-union-won't-even-work-with-mint.com dept.

An anonymous reader writes "Netcraft confirms a recent increase in the number of malicious proxy auto-config (PAC) scripts being used to sneakily route webmail and online banking traffic through rogue proxy servers. The scripts are designed to only proxy traffic destined for certain websites, while all other traffic is allowed to go direct. If the proxy can force the user to keep using HTTP instead of HTTPS, the fraudsters running these attacks can steal usernames, passwords, session cookies and other sensitive information from online banking sessions."

6 of 50 comments (clear)

  1. Why HTTP? by AK+Marc · · Score: 4, Insightful

    Why bother with HTTP? Plenty of malware gets signed certs. If you are messing with malware, change the root certs on the machine (assuming your malware installing the proxy has root), and use HTTPS to www.citibank.com. The user won't know the difference. It'll show up as a valid cert to the right domain, and the proxy can re-encrypt it and use the unencrypted username and password submitted to it. Plenty of corporates do this and have the ability to sniff 100% of employee traffic, even encrypted, because it's all signed and trusted certs, there will be no warnings, though you can inspect the cert for trusted sites, and you'd have to verify DNS or certs for every secure site, which breaks all the usability models. If it takes root to get the malware on in the first place, the hackers screwed up big if they didn't make it work for HTTPS.

    --
    Learn to love Alaska
    1. Re:Why HTTP? by karnal · · Score: 4, Insightful

      Path of least resistance at this point. What's easier, getting a malicious PAC script installed, or getting the same PAC script installed as well as having a user sign off on an invalid certificate?

      Admittedly, getting someone to blindly click "yes" to accept the bad certificate isn't difficult, but if it doesn't pop at all - all the better for the malicious person on the other end.

      --
      Karnal
    2. Re:Why HTTP? by Anonymous Coward · · Score: 2, Insightful

      Why redirect the traffic at all? Why not just use a key logger and grab credentials that way? Most banks and webmail don't use two factor authentication.

    3. Re:Why HTTP? by manu0601 · · Score: 3, Insightful

      Why bother with HTTP? Plenty of malware gets signed certs.

      The attack described here does not involve malware. On WPAD requests seen on DHCP or DNS, just inject a WPAD reply with a malicious PAC script and you are done.

  2. My problem with session cookies... by bogaboga · · Score: 1, Insightful

    I have an issue with the so called, "session cookies."

    While they are a part of online the presence, non of their behavior would be stomached in actual day-to-day life.
    So the issue is that we've got two set's of paradigms. An online one where you can be tracked by default and a real life
    one where you have to be explicitly informed if one is to monitor your every activity.

    Sad, indeed.

  3. Warhol Billionaires by retroworks · · Score: 4, Insightful

    In the future, everyone will be a billionaire for 15 minutes, until their ill-gained 15 minute life savings is phished by the next billionaire. The bank account hijack will rotate around and around, shared by everyone in the world, boosting all our credit ratings... momentarily.

    --
    Gently reply