Last week at BlackHat, Chema Alonso presented an unsophisticated yet powerful technique for a man in the middle attack using an anonymous proxy server. Users connecting to the proxy would get their browser cache poisoned by the attackers’ script. Once the script was installed the victim’s computer became part of a botnet. The researchers were then able to eavesdrop on the victim’s web traffic, steal browser cookies and form data such as user credentials. This allowed them to track various criminal activities on the Internet, as the anonymous proxies were often used by cyber crooks.
Now what’s impressive is the simplicity and scale. Alonso and his colleague utilized off-the-shelf open source software and wrote a couple of scripts. All they did for advertising was to list their service in one of the open proxy web catalogues. Just by doing that, they’ve got several thousand unique bot installs in a single day. Given the effectiveness and low cost of this attack, one can imagine similar techniques are used on the Internet by criminals and possibly governments and intelligence agencies to spot bad actors. Variations could range from passive harvesting of sensitive data to targeted attacks with cache poisoning and penetrating into Intranets.
My next test was for non-invasive monitoring. I registered several free email accounts – one primary and a set of secondary, and exchanged some messages between them. Then I used every proxy in the test list to login into the primary mailbox. I created a strong password, but intentionally chose a service which sent credentials in plaintext, so a malicious proxy could easily “sniff” it. If only I were behind Juniper IPS, my plaintext password would trigger a signature and get reported even before I had started using the unsafe mailer. But not in this case, so guess what – pretty soon my fake buddies began receiving spam probes from the primary test account – a clear indication that the mailbox got compromised.
This simple test has proven that some public proxy servers out there are indeed malicious. While the Internet is full of great free things, some of them are mousetraps. Everyone should keep in mind that connecting through proxy servers essentially gives the proxy owner rights to be the man in the middle. People using these services should understand the risks, opt for trusted resources and utilize protection technologies.
Discussing a wide range of topics impacting enterprises and
data center security.