Cybercriminals have apparently been taking advantage of proxy auto-configuration in Web browsers that I've read...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
is similar to the DNSChanger malware. Could you explain how such an attack works? How can browsers be secured against such an attack?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Proxy auto-config functionality is used by some networks to automatically configure a Web proxy for systems on the network. Some popular Web browsers have functionality that allows them to check a certain local website (e.g., wpad.domainname.com) to download a configuration file. These config files are used to set information about Web proxies so that Web browsers are able to connect to the Internet through a proxy. If a browser is auto-configured to use a malicious proxy, users could be redirected to malware-laden Web pages, or their Web traffic could be inspected by malicious actors. Some Web proxies are even capable of inspecting HTTPS traffic, which could even put encrypted Web traffic at risk.
When using a Web browser, it is difficult to know if a WPAD file is in use for auto-configuring your systems, so identifying a malicious proxy would be difficult. To identify if or what proxy is used, inspect the IP traffic to see if the HTTP connection goes directly to the legitimate website or through a different IP. You can also use netstat to look for open network connections.
The simplest defenses against proxy auto-config malware are to just disable the proxy auto-config settings or set up a legitimate WPAD file with direct access to the correct proxy. In the future, browser vendors could use signed proxy auto-config files much like application whitelisting uses signed files, though even signed configs could be compromised if an attacker was able to reconfigure a system to trust the new configuration file.
Dig Deeper on Web browser security
Related Q&A from Nick Lewis
When NSA cyberweapons went public, attackers bundled them into the EternalRocks malware. Nick Lewis takes a closer look at this new threat and ...continue reading
A Google Docs phishing attack used OAuth tokens to affect more than a million Gmail users. Nick Lewis explains how it happened, and how to defend ...continue reading
A vulnerability in Microsoft's Windows Defender antivirus tool left users open to remote code exploitation. Expert Nick Lewis explains how it ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.