Beware of phishing scam through browser proxy configuration
HKCERT had received reports of phishing sites hosted in Hong Kong from time to time. Among those targeting Brazilian banks, we observed that some of the phishers made use of proxy server as a cover to prevent victims or investigators to detect the scam.
As the name ‘proxy server’ implies, it is a middleman sitting between the visitor and the destination website. The common uses of a proxy include caching the website content to speed up the response, or restricting the access to some inappropriate websites in office or campus environment. The phishing scam we came across used a configuration as below.
The phishers infected a victim machine with malware, which in turn hijacked the browser ‘automatic proxy configuration’ (PAC configuration file). The advantage of using proxy configuration URL to the phisher is that he can change the configuration of the proxy centrally and propagate the changes to all infected victim machines. When the victims visited the legitimate URL of a bank or webmail website, that proxy configuration redirected the victims to phishing sites.
The best way of prevention is to install anti-malware application, and keep the system and browsers up-to-date. Besides, we warn users who configure arbitrary proxy in the browser in order to access some media content outside Hong Kong. It is risky because the proxy server can be hijacked to redirect user to malicious websites.
The proxy presents a phishing site even when the victim inputs a legitimate URL, the user needs to be more careful to detect it. Since the phisher's proxy presents an invalid certificate which does not belong to the legitimate domain, the browser will alert it by a ‘crossed lock’ like below.
To check whether you are accessing websites through a proxy server, you can refer to the following URL:
Share with