Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Web proxies in browsers and OSs can be abused to steal user data

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

August 30, 2016

Security software engineers have recently underscored how various web proxy configurations in web browsers and operating systems can be easily abused by hackers to rob sensitive user information, and it appears that these security issues are escalating rapidly.

A new attack detected and analyzed by malware researchers at Microsoft uses Word documents with malicious code that doesn't install traditional malware, but instead configures various browsers to use a web proxy controlled by hackers.

Additionnally to deploying rogue proxy settings, the attack also installs a self-signed root certificate on the system so that attackers can snoop on encrypted HTTPS traffic as it passes through their proxy servers.

Those attacks start with spam emails that have a .docx attachment. When opened, the document displays an embedded element resembling an invoice or receipt. If clicked and allowed to run, the embedded object executes malicious JavaScript code.

The JavaScript code is of course obfuscated, but its purpose is to drop and execute several PowerShell scripts.

PowerShell is a scripting environment built into the Windows operating system that allows the automation of various administrative tasks.

One of the PowerShell scripts deploys a self-signed root certificate that will later be used to monitor HTTPS traffic. Another script then adds the same certificate to the Mozilla Firefox browser, which uses a separate certificate store than the one found in Windows.

Then (if that wasn't enough) a third script installs a client that allows the computer to connect to the Tor anonymity network! That's because the attackers use a 'Tor .onion Website' to serve the proxy configuration file. This was carefully tought of by the miscreants responsible for those attacks, and they know what they are doing.

The system's proxy auto-config setting is then modified in the Windows registry to point to the Tor .onion address. This allows attackers to easily change the proxy server in the future if it's taken offline by internet security researchers.

"At this point, the system is fully infected and the web traffic, including HTTPS, can be seen by the proxy server it assigned," the Microsoft researchers said.

"This enables potential attackers to remotely redirect, modify and/or monitor internet traffic. Sensitive data or web credentials could be stolen remotely and without user awareness," the research team asserted.

Another research team, this time from the SANS Internet Storm Center recently reported a similar attack vector from Brazil, where hackers installed rogue proxies on computers in order to hijack traffic to an online banking website.

A rogue root CA certificate was deployed in that case in order to bypass HTTPS encryption.

At the 2016 DEF Conference and Black Hat security symposiums a few weeks ago, several internet security researchers demonstrated how 'man-in-the-middle' attackers can easily abuse the Web Proxy Auto-Discovery (WPAD) protocol to remotely hijack people's online accounts and steal their sensitive data, even when those users access websites over encrypted HTTPS or even supposedly secure VPN connections.

Source: Microsoft.

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer