Cybercriminals have apparently been taking advantage of proxy auto-configuration in Web browsers that I've read...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
is similar to the DNSChanger malware. Could you explain how such an attack works? How can browsers be secured against such an attack?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Proxy auto-config functionality is used by some networks to automatically configure a Web proxy for systems on the network. Some popular Web browsers have functionality that allows them to check a certain local website (e.g., wpad.domainname.com) to download a configuration file. These config files are used to set information about Web proxies so that Web browsers are able to connect to the Internet through a proxy. If a browser is auto-configured to use a malicious proxy, users could be redirected to malware-laden Web pages, or their Web traffic could be inspected by malicious actors. Some Web proxies are even capable of inspecting HTTPS traffic, which could even put encrypted Web traffic at risk.
When using a Web browser, it is difficult to know if a WPAD file is in use for auto-configuring your systems, so identifying a malicious proxy would be difficult. To identify if or what proxy is used, inspect the IP traffic to see if the HTTP connection goes directly to the legitimate website or through a different IP. You can also use netstat to look for open network connections.
The simplest defenses against proxy auto-config malware are to just disable the proxy auto-config settings or set up a legitimate WPAD file with direct access to the correct proxy. In the future, browser vendors could use signed proxy auto-config files much like application whitelisting uses signed files, though even signed configs could be compromised if an attacker was able to reconfigure a system to trust the new configuration file.
Dig Deeper on Web browser security
Related Q&A from Nick Lewis
The OurMine hacking group recently used DNS poisoning to attack WikiLeaks and take over its web address. Learn how this attack was performed from ...continue reading
Typosquatting was used by threat actors to spread malware in the NPM registry. Learn from expert Nick Lewis how this method was used and what it ...continue reading
Threat actors are using phishing email campaigns to fool users with tech support scams and fake Blue Screens of Death. Learn how these campaigns work...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.