Search This Blog

Rogue proxies hijack HTTPS traffic

Malware researchers from Microsoft have spotted a new kind of attack which abuses web proxy configuration in browsers and operating systems to steal user data.

The attack configures browsers to use a web proxy which is controlled by the attackers who can snoop on encrypted HTTPS traffic through their proxy servers after the attack installs a self-signed root certificate on the system.

The attackers send the target a spam mail which consists of a .docx attachment and a document like an invoice which when allowed to run executes a malicious JavaScript code whose purpose is to execute several PowerShell scripts. PowerShell is a scripting environment built into Windows that allows the automation of administrative tasks.

One of the PowerShell scripts deploys a self-signed root certificate which is later used to monitor HTTPS traffic. Another script adds the certificate to the Mozilla Firefox browser, which uses a separate certificate store than the one in Windows. Now, the third script installs a client which connects a computer to the Tor.onion network because the attackers use this website to serve the proxy configuration file. This setting is modified in the registry to point to .onion address which allows hackers to easily change the proxy server in future if taken offline.

When the system is completely infected and web traffic including HTTPS can be seen by the proxy server, it enables attackers to redirect, modify and monitor the traffic and sensitive user information can be stolen without the knowledge of the owner.

A similar attack from Brazil was reported where the attackers installed rogue proxies to hijack an online banking website.

The credentials can be stolen even when the user is accessing the websites over encrypted HTTPS or VPN connections.
Share it: