Cybercriminals have apparently been taking advantage of proxy auto-configuration in Web browsers that I've read...
is similar to the DNSChanger malware. Could you explain how such an attack works? How can browsers be secured against such an attack?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Proxy auto-config functionality is used by some networks to automatically configure a Web proxy for systems on the network. Some popular Web browsers have functionality that allows them to check a certain local website (e.g., wpad.domainname.com) to download a configuration file. These config files are used to set information about Web proxies so that Web browsers are able to connect to the Internet through a proxy. If a browser is auto-configured to use a malicious proxy, users could be redirected to malware-laden Web pages, or their Web traffic could be inspected by malicious actors. Some Web proxies are even capable of inspecting HTTPS traffic, which could even put encrypted Web traffic at risk.
When using a Web browser, it is difficult to know if a WPAD file is in use for auto-configuring your systems, so identifying a malicious proxy would be difficult. To identify if or what proxy is used, inspect the IP traffic to see if the HTTP connection goes directly to the legitimate website or through a different IP. You can also use netstat to look for open network connections.
The simplest defenses against proxy auto-config malware are to just disable the proxy auto-config settings or set up a legitimate WPAD file with direct access to the correct proxy. In the future, browser vendors could use signed proxy auto-config files much like application whitelisting uses signed files, though even signed configs could be compromised if an attacker was able to reconfigure a system to trust the new configuration file.
Dig Deeper on Web Browser Security
Related Q&A from Nick Lewis
Latentbot malware has layers of obfuscation that makes it hard to detect. Expert Nick Lewis explains how its process works, beginning with a phishing...continue reading
A hard to detect type of Linux malware, Rekoobe, can download files to user systems. Expert Nick Lewis explains the malware's key functionality and ...continue reading
Pro POS, a new type of POS malware, has simple operations and is easy to obtain. How was it so successful against businesses? Expert Nick Lewis ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.