Brazilian criminals create malicious proxies

This post was originally  an automatic machine translation from http://www.linhadefensiva.org/2009/07/criminosos-brasileiros-criam-proxies-maliciosos/  a security blog written in Portugese (Brazillian). I have attempted to correct the translation and add a few other comments

We see the same problems in English & every other language  so please read & follow the advice:

Brazilian criminals create malicious proxies
By changing the settings of the major browsers, criminals can direct users to false bank pages or false search engines

A  new technique of targeting using proxy services is being operated by  Brazilian and other cybercriminals. 

.PAC files

The attack begins when the user opens infected  emails or attachments. From that moment the virus will change yourbrowser settings, adding network options in a URL to a file.

 .PAC (proxy auto-config) are legitimate, but can be used in a malicious manner, such as in these cases. They are made in JavaScript scripts that define which Internet pages will be answered by a given server, acting as proxy.
On trying to access the pages of the main Brazilian and other  banks, you are directed to a fake site serving pages that look identical to the legitimate bank site and often with the correct bank URL in the address bar,  This allows the crimianls to steal your financial data.

This affects any version of Internet Explorer,  Firefox,  Chrome, Safari and any other browser. Programs like instant messengers and web updaters that use the same settings as Internet Explorer are also affected.

How do you know if you are infected

In Internet Explorer, go to the Tools menu, click Internet options. Connection tab, click LAN settings. See in the box that opens if there are anyentries in “use automatic configuration script”. If any are there remove the entry, then uncheck “use automatic configuration script”. Also check lower down “use a proxy server” because different malwares can set a specific proxy there. If you didn’t set the proxy yourself ( many ISPs or corporate networks do set this proxy) then remove the entry and uncheck the “use proxy server” check, Press OK or Apply

 Firefox, go to the Tools menu, options. On the Advanced tab, go to the network option and click the “configure connection” button. In the box that open, look at the item “address” proxy auto-configuration if there is any URL. If any, remove it. Also check the manual proxy configuration and if not set by you, fix in the same  was as I previously described for internet explorer.

The defensive line team notified the CERT Brazil to take reasonable precautions for the removal of malicious servers, because many of them are located in Brazil.

If you suspect you are infected by a banker trojan, suffer from any diverts, pop ups or other strange or worrying symptoms  please ask for help on our help forum TheSpykiller

Written by derek. This entry was posted on October 10, 2009 at 09:00 and is filed under Exploits, Malware, Phishing, Warnings and Alerts. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.