Cybercriminals have apparently been taking advantage of proxy auto-configuration in Web browsers that I've read is similar to the DNSChanger malware. Could you explain how such an attack works? How can browsers be secured against such an attack?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Proxy auto-config functionality is used by some networks to automatically configure a Web proxy for systems on the network. Some popular Web browsers have functionality that allows them to check a certain local website (e.g., wpad.domainname.com) to download a configuration file. These config files are used to set information about Web proxies so that Web browsers are able to connect to the Internet through a proxy. If a browser is auto-configured to use a malicious proxy, users could be redirected to malware-laden Web pages, or their Web traffic could be inspected by malicious actors. Some Web proxies are even capable of inspecting HTTPS traffic, which could even put encrypted Web traffic at risk.
When using a Web browser, it is difficult to know if a WPAD file is in use for auto-configuring your systems, so identifying a malicious proxy would be difficult. To identify if or what proxy is used, inspect the IP traffic to see if the HTTP connection goes directly to the legitimate website or through a different IP. You can also use Netstat to look for open network connections.
The simplest defenses against proxy auto-config malware are to just disable the proxy auto-config settings or set up a legitimate WPAD file with direct access to the correct proxy. In the future, browser vendors could use signed proxy auto-config files much like application whitelisting uses signed files, though even signed configs could be compromised if an attacker was able to reconfigure a system to trust the new configuration file.
Dig Deeper on Web browser security
Related Q&A from Nick Lewis
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading