Phishing with TNT

If phishing is using email bait to lure the unwary into identity theft, then hijacking the web traffic on a domain would be the equivalent of using dynamite in a lake to cause all of the phish to phloat to the top.

Microsoft warned today that their WINS and DNS servers could be used by an attacker to implant a malicious Web Proxy Automatic Discovery file that would cause domains configured to auto-detect proxy settings to shunt all of their traffic through a malicious web proxy.

From Infoworld here:

Microsoft Corp. is warning of an attack that could be used to divert someone’s Web traffic through a malicious proxy server.
 
Applications such as Internet Explorer use the Web Proxy Automatic Discovery (WPAD) protocol to find a file that enables a browser to configure its proxy settings. However, it’s possible to plant a configuration file that would route traffic through a malicious proxy, the company said.

A malicious WPAD.dat file could be placed in the Domain Name System (DNS) or the Windows Internet Naming Service (WINS), Microsoft said. The client application looks in DNS or WINS to resolve the name of the hosting that has the proxy configuration file.

Once the bad file is there, WPAD clients “may be able to route their Internet traffic through a malicious proxy server,” Microsoft said.

Microsoft details on its support site how administrators can configure DNS and WINS on their servers to help prevent what it calls “malicious registrations” of WPAD files. The fix is for Windows Server 2003 and Windows 2000 Service Pack 4.

One of the goals of most phishing attacks is to record usernames and passwords to online financial sites.  Most trojans and botnet zombies already do this.  But if an attacker had access to a proxy on a network, he could easily intercept and record the financial credentials of not just a single host, but the whole network.  You might see the next generation of botnets employ this new proxy hijacking technique.