Cybercriminals have apparently been taking advantage of proxy auto-configuration in Web browsers that I've read...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
is similar to the DNSChanger malware. Could you explain how such an attack works? How can browsers be secured against such an attack?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Proxy auto-config functionality is used by some networks to automatically configure a Web proxy for systems on the network. Some popular Web browsers have functionality that allows them to check a certain local website (e.g., wpad.domainname.com) to download a configuration file. These config files are used to set information about Web proxies so that Web browsers are able to connect to the Internet through a proxy. If a browser is auto-configured to use a malicious proxy, users could be redirected to malware-laden Web pages, or their Web traffic could be inspected by malicious actors. Some Web proxies are even capable of inspecting HTTPS traffic, which could even put encrypted Web traffic at risk.
When using a Web browser, it is difficult to know if a WPAD file is in use for auto-configuring your systems, so identifying a malicious proxy would be difficult. To identify if or what proxy is used, inspect the IP traffic to see if the HTTP connection goes directly to the legitimate website or through a different IP. You can also use netstat to look for open network connections.
The simplest defenses against proxy auto-config malware are to just disable the proxy auto-config settings or set up a legitimate WPAD file with direct access to the correct proxy. In the future, browser vendors could use signed proxy auto-config files much like application whitelisting uses signed files, though even signed configs could be compromised if an attacker was able to reconfigure a system to trust the new configuration file.
Dig Deeper on Web Browser Security
Related Q&A from Nick Lewis
An HTTPS session with a reused nonce is vulnerable to the Forbidden attack. Expert Nick Lewis explains how the attack works, and how to properly ...continue reading
The Irongate malware has been discovered to have similar functionality to Stuxnet. Expert Nick Lewis explains how enterprises can protect their ICS ...continue reading
APT groups have been continuously exploiting a flaw in Microsoft Office, despite it having been patched. Expert Nick Lewis explains how these attacks...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.