Internet banking credentials are a desired target for cybercriminals. They can be targeted with man-in-the-middle attacks or through password stealing trojans such as Fareit, Zbot or Banker. A less known, yet commonly found in South America and to a lesser extent in Russia, method to gain unauthorized access to a user’s banking credentials is through malicious Proxy Auto-Config (PAC) files. Normally, PAC files offer similar functionality to the hosts file, allowing IP/website redirection, but only for the browser. Unfortunately, they can also be used for nefarious purposes.

When a user is infected with a malicious PAC and visits an internet banking website, the browser is usually redirected to a fake website that mimics the intended banking website. This may result in credentials being stolen - or worse, online account hijacking.

The most common infection scenario is shown in figure 1 below:

 

Common infection scenario 

Figure 1: A common PAC infection scenario

A user is infected through a drive-by attack or by other malware and a malicious PAC file is installed onto their computer. When the victim visits a targeted website, their browser is redirected to a fake website that will record their login details. The infection is silent, the user is not notified of the change in configuration (see figure 5).

Our telemetry shows the following country domains are the most targeted by malicious PAC files:

Infection telemtery 

Figure 2: Countries most targeted by malicious PACs

Analysis of the malicious PAC files show that cybercriminals target mostly banking websites in Brazil and Russia, but many attacks are not limited to just online banking entities. We have also seen malicious redirection against other payment methods, such as credit cards, e-mail providers, social networking websites, antivirus products and education institutions. Our TrojanProxy:JS/Banker.gen!A description has a detailed list of the targeted entities.

One important user mitigation comes directly through the browser. What a user would experience when browsing the real website is shown below:

browser unsecure 

Figure 3: Web page without PAC redirection

browser secure 

Figure 4: Web page with malicious PAC redirection

You can see above that the original website has an authenticated certificate and appears in a green address bar. The original website is also using HTTPS (secure communication).

Any PAC file installation (legit or otherwise) can be manually checked in Internet Explorer by opening the Tools menu, then selecting Internet Options, clicking the Connection tab, and selecting LAN Settings. If you see something similar to the following picture and you didn’t install a PAC file, then you might be infected. Keep in mind that the PAC file can also be installed from the internet (using a  http:// address), not only as a local file.

Pac installed 

Figure 5: LAN setting showing a PAC file installed

Deleting the file entry in “Use automatic configuration script” (or disabling it) and the local file referenced can help mitigate an attack.

In order to deal with these malicious PAC files we have added several detections, such as TrojanProxy:JS/Banker.AC and TrojanProxy:JS/Banker.gen!A, and we will continue adding detections for any malicious PAC files we find in the wild. To better protect yourself against these threats, we recommend installing an up-to-date real-time security product, such as Microsoft Security Essentials.

MMPC Munich