Internet banking credentials are a high-value target for online criminals. Common attack forms that try to steal credentials or at least information are man-in-the-middle attacks and trojans that are have been designed specifically to capture credentials related to financial services and websites.
Microsoft released a warning back in February 2014 about malicious Proxy Auto-Config (PAC) redirects that can be used for that purpose as well.
A PAC file is used to select proxy servers or direct connections based on web addresses that you open in the web browser. These type of files are mostly used in corporate environments and here especially on mobile devices such as laptops.
PAC files are supported by all modern web browsers and can be loaded like other proxy servers in the network settings.
Malicious PAC files are used to redirect Internet users when they try to open sites of interest. The browser is automatically rerouted to a fake website that looks like the original site. Any information or credentials the user enters on this site are stolen and may be used for malicious activities or to steal online accounts.
Users can be infected through various means, from drive-by attacks and malware to local attacks that plant the PAC file directly on the system.
According to Microsoft's study, malicious PAC files are predominantly used in Brazil, Russia, the UK and Australia.
While many attacks target banking websites, Microsoft notes that other services are also targeted, including other payment providers, email providers, or social networking sites.
Depending on which web browser you are using, you find the PAC files listed in a different location and menu.
Internet Explorer and browsers that use IE network settings (like Google Chrome)
Note: You can configure from within Chrome's settings, but you will be redirected to the Internet Options when you do.
The Firefox web browser
Use a third party program
Phrozensoft has published the Auto Config Risk Protector application for Windows today which checks Internet Explorer's proxy settings for you to notify you when a PAC file is being used.
Simply run the program and click on the scan button afterwards. The application will either report that there is no PAC file in use, or that it has found one. If that is the case, the address of it is displayed to you with options to keep it or remove it instead.
Advertisement
Please click on the following link to open the newsletter signup page: Ghacks Newsletter Sign up
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.
Comodo’s free firewall have a feature that routes your traffic through their own ip table. Of course, there is a privacy concern there. But it does stop these kind of hacks.
Martin,
Thanks.
Mini toolbox By Farbar will do the same thing.
MiniToolBox detects Internet connection issues due to broken or hijacked LSP, proxy settings, and problems with network adapters. It can also be used to detecte search redirections and router hijackings.
The tool has some additional feature like flushing DNS cache, listing installed programs, listing devices in the Devices Manager, enumerating the last 10 Event Viewer errors, enumerating drives, and content of Hosts file.
http://www.bleepingcomputer.com/download/minitoolbox/
An attacker could develop an application that will listen to the UDP 137 port and answer to all WPAD queries with the address of the attacker s webserver. The webserver, in turn, could provide a malicious PAC file that directs victim browsers to use specific proxy servers to connect to websites of interest to the attacker.