=====[BEGIN-SCL-REPORT]===== ________________________________________________________________________ Scovetta Labs Security Advisory Title: Phishing Protection via proxy.pac Status: Public Release Date: 2005-02-26 ________________________________________________________________________ Package: Web Browsers Priority: Medium Vulnerability: Phishing Attacks Background: =========== Phishing attacks have become very common in recent months. Without a complete solution, many users can be tricked into revealing their customer information. I describe an approach that can be applied to anyone with a web-browser, with very little overhead, and with a very fast reaction time to new threats. Description: ============ A "proxy.pac" file is a JavaScript file that is executed each time the user loads a web page. It was meant to be used to determine whether a URL is on a local network (as opposed to requiring the request pass through a proxy server). We can use this functionality to prevent users from visiting known "bad" hosts or URLs. How it Works: ============= Below is a simple example of a proxy.pac file, which prevents users from visiting the host "202.108.69.147". /** * Anti-Phishing Scheme - by Michael Scovetta * Scovetta Labs * www.scovettalabs.com/advisory/SCL-2005.003.txt */ var phishIPs = "202.108.69.147"; // example of a threat host function FindProxyForURL(url, host){ if (host != null && host.indexOf(phishIPs) != -1) return "PROXY 127.0.0.1:9999"; else return "DIRECT"; } As you can see, when a user accesses a site that is defined in the "phishIPs" variable, the function returns the string "PROXY 127.0.0.1:9999", which tells the web browser to attempt to contact the site through a local proxy server, running on port 9999. Since the user (most likely) does not have a proxy server running on that port, the web browser fails to load the URL. Setup: ====== Internet Explorer: Tools--Internet Options--Connections--LAN Settings Click "Use automatic configuration script" Set the address to: http://www.scovettalabs.com/download/antiphish.pac Click OK--OK Restart your browser Firefox: Tools--Options--General--Connection Settings Click "Automatic proxy configuration URL:" Set the address to: http://www.scovettalabs.com/download/antiphish.pac Click Reload Click OK--OK Alternatively, you can download the antiphish.pac file from Scovetta Labs and access it locally (file://c:/antiphish.pac). New Threats: ============ The antiphish.pac file will be updated as new "bad" IP addresses are discovered. IP addresses will be removed when they are verified to be clean. In order for this to work, I need the help of the community. Since phishers tend to send out many, many emails, you can help by reporting IP addresses to me via: http://www.scovettalabs.com/apps/phishing/ Alternatively, you can forward the phishing emails to me at: phishing@scovettalabs.com As more people use antiphish.pac, I will eventually have it automatically update as new IP addresses are discovered. Revision History ================ 2005-02-26: Public Release [1] Credits: ======== Credit to Michael V. Scovetta. References: ========== [1] http://www.scovettalabs.com/advisory/SCL-2005.003.txt [2] http://www.scovettalabs.com/download/antiphish.pac [3] http://www.scovettalabs.com/apps/phishing/ Disclaimer ========== The content of this report is purely informational and meant only for the purpose of education and protection. Scovetta Labs and Michael Scovetta shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. All identifiers (hostnames, IP addresses, company names, individual names etc.) used in examples and demonstrations are used only for explanatory purposes and have no connection with any real host, company or individual. In no event should it be assumed that use of these names means specific hosts, companies or individuals are vulnerable to any attacks nor does it mean that they consent to being used in any vulnerability tests. The use of information in this report is entirely at user's risk. Copyright ========= (c) 2005 Michael Scovetta. Forwarding and publishing of this document is permitted providing the content between "[BEGIN-SCL-REPORT]" and "[END-SCL-REPORT]" marks remains unchanged. =====[END-SCL-REPORT]=====