Slashdot Mirror
Webmail and Online Banks Targeted By Phishing Proxies
An anonymous reader writes "Netcraft confirms a recent increase in the number of malicious proxy auto-config (PAC) scripts being used to sneakily route webmail and online banking traffic through rogue proxy servers. The scripts are designed to only proxy traffic destined for certain websites, while all other traffic is allowed to go direct. If the proxy can force the user to keep using HTTP instead of HTTPS, the fraudsters running these attacks can steal usernames, passwords, session cookies and other sensitive information from online banking sessions."
Why bother with HTTP? Plenty of malware gets signed certs. If you are messing with malware, change the root certs on the machine (assuming your malware installing the proxy has root), and use HTTPS to www.citibank.com. The user won't know the difference. It'll show up as a valid cert to the right domain, and the proxy can re-encrypt it and use the unencrypted username and password submitted to it. Plenty of corporates do this and have the ability to sniff 100% of employee traffic, even encrypted, because it's all signed and trusted certs, there will be no warnings, though you can inspect the cert for trusted sites, and you'd have to verify DNS or certs for every secure site, which breaks all the usability models. If it takes root to get the malware on in the first place, the hackers screwed up big if they didn't make it work for HTTPS.
Learn to love Alaska
In the future, everyone will be a billionaire for 15 minutes, until their ill-gained 15 minute life savings is phished by the next billionaire. The bank account hijack will rotate around and around, shared by everyone in the world, boosting all our credit ratings... momentarily.
Gently reply
It'd be nice if one could bypass the various CA's and enforce HTTP Strict Transport Security (HSTS) as well. I could then have an unlimited number of certificates for my domain and sub-domains. I would see that owning the .com or whatever domain would go up in price though since Verisign and others still want their money somehow and someone still signs the root somewhere.
It'd just be nice to be my own CA for my own domain anyway.
avoid banking at work? i always figured that was more secure than at my own home (shared wifi with two room mates- neither seem tech savvy, but you never know.; WPA2 but short password)
it sounds like if my room mates computers are compromised, i can get phished with the method?
A session cookie is just like a case number, it may be used to speed up communication between departments or sections of your website. Whenever I'm in a queue, there's always a ticket I hold to identify where I am in the queue, what my wait time is, possibly referenced by their third party SLA/QA company, and it could be tied to my Account Number when I get to the counter. It's stomached in real life, because it brings order to what could be chaos, and makes our lives that little bit simpler.
Secondly you must be rather naive to think permission is required to monitor your *every* activity. Through various laws, mutual sharing agreements, and straight greed, there's a wealth of information for people to gather and misuse. While they limit "personally identifiable" information, they gather everything they can and assign it their own ID. It then only takes a little homework to link the ID and your real ID together, and its just this last step which is prohibited in these privacy clauses.
"We know what happens to people who stay in the middle of the road. They get run over." - Aneurin Bevan
SSL will, if correctly setup, will prevent this. Unless you click through all the warnings your browser shows regarding the sites certificate.
Get back to us when you've learnt how to spell "kernel".
Il n'y a pas de Planet B.