Proxy auto-config attacks defeat 2-factor auth, hide using country specific content

Fraudsters have been using proxy auto-config (PAC) scripts to steal online banking credentials for several years, but as with most phishing techniques, it is inevitable for these attacks to evolve and become more effective. The latest spate of PAC attacks has achieved this by using geolocation technology to evade detection and select which targets to attack.

pac-attack

PAC attacks typically channel online banking traffic through rogue proxy servers, allowing fraudsters to gobble up unencrypted usernames and passwords when forms are submitted, or to hijack already-authenticated sessions by stealing session cookies. Being able to view and modify this traffic also allows two-factor authentication mechanisms such as one-time passwords to be easily defeated.

PAC scripts used in these attacks inevitably look suspicious, which highlights the fact that fraud is taking place. Consequently, it is in the fraudster's interest to stop these scripts being found by law enforcement agencies, or indeed anyone else who might be tasked with investigating or preventing the fraud.

The latest attacks use a PAC script which is hosted on a web server in the Netherlands. This server has been configured to refuse TCP connections from certain countries or locations, which could be sufficient to put an investigator off the scent – if the server simply does not appear to exist, they may not bother investigating further. Meanwhile, the remaining unblocked users will continue to fall victim to the PAC attack.

Where the server can be accessed, geolocation is also used to customise the contents of the PAC script. For example, a completely benign PAC script is returned to clients in Australia, which simply tells the victim's browser to connect directly to all websites; no proxying takes place:

Deobfuscated JavaScript from the benign PAC script

Deobfuscated JavaScript from the benign PAC script

Conversely, requesting the PAC script from Japan causes the following JavaScript to be returned:

PAC attack against Japanese banking customers (contents  deobfuscated for clarity)

PAC attack against Japanese banking customers (contents deobfuscated for clarity)

The FindProxyForURL function specifies which hostnames should be proxied through the fraudster's server. Anyone using this proxy script will be giving the fraudster an opportunity to observe or modify all unencrypted traffic flowing between his browser and each of the specified Japanese online banking websites.

If the victim browses to a site which does not match any of these patterns, his browser will not use the proxy and instead make a direct connection to be site. This serves to reduce the load on the fraudster's proxy server, as well as reducing the likelihood of the victim noticing something is awry. For example, if the victim performs a Google search for "what is my ip?", his browser will connect directly to google.com, causing Google to display the victim's own IP address rather than that of the fraudster's proxy.

Although online banking sites are the clear targets of these attacks, it is notable that many of these scripts, including the Japanese example, also target Facebook. The following PAC script is returned to clients in Switzerland, and proxies traffic destined for *.facebook.com, as well as several Swiss banking websites.

switzerland

It was not apparent why Facebook is being targeted among these banks, but compromised Facebook accounts could be useful for propagating the malicious proxy scripts to other users. For example, users could be tricked into manually editing their proxy settings by following instructions posted from a trusted friend's compromised account, or other social engineering tricks to get the user to download and run malware.

This PAC attack is still active, with Japan and Switzerland being targeted by distinct malicious scripts. Most locations are unable to connect to the Dutch PAC script server, apart from Australia and Poland, which receive an identical benign script which does not proxy any web traffic.

world-screenshot

Poor web application security can contribute significantly to the success of these proxy-based attacks. For instance, if the session cookies used on a bank's HTTPS website are not marked with the Secure attribute, then they will be transmitted unencrypted through the fraudster's proxy if the victim subsequently makes an HTTP request to the same hostname. Such attacks are much less likely to succeed if the targeted HTTPS site uses HTTP Strict Transport Security (HSTS) to prevent the connection being downgraded to HTTP.

Netcraft's Web Application Security Testing service can identify sites that are readily vulnerable to these types of attack. Banks and other organisations can also use Netcraft's takedown service to remove malicious proxy scripts and phishing sites from the internet, while infrastructure providers can use our phishing site feed to protect their users. For more information, please contact sales@netcraft.com.