Thursday, August 23, 2007

Proxy Phishing Warning - Avoid Proxies!

Here's another reason to avoid proxy servers as McAfee SiteAdvisor has been popping up warnings about potential phishing via these seemingly "harmless" proxy sites.

Maybe phishing is one of the real reasons behind the sudden proliferation of new proxy sites and not just so kids and workers can bypass internet security.

Maybe the real purpose of many of the sites popping up every few minutes is to lure unsuspecting victims into using their passwords and other personal information and collecting them for nefarious purposes.

It's also another possible reason that the proxy hacking/hijacking is being done as a means to purposely direct people to sites they may be members of, by hijacking the page in Google as a means to get you to login via their servers.

Some of the newer proxy sites I've seen attempting to hijack some of my pages lately have a very low profile, such as "http://000a.com/www.mysite.com" and don't even frame the page to give you any indication that you're even using a proxy other than the URL.

Everything is starting to add up to a very serious threat for novice internet users that can't tell they're even being spoofed.

I didn't like proxy sites before and now I think they should just be abolished because the risks are too high for site owners and visitors alike.

When it comes to proxy sites just play it safe and avoid them at all cost.

6 comments:

Anonymous said...

Proxies are an essential safety valve, against everything from insitutional or government censorship to webmaster trampling of user rights, by making it possible (with effort) to evade censorship and other blocks based on either your destination's or your own IP address. On the other hand I would agree that it is unsafe to entrust them with anything sensitive.

Proxies that don't make it obvious that you're in a proxy and that do support SSL would seem to be the main danger. On the other hand, even proxies that support SSL (with a warning that you're foregoing security by using them) are necessary safety valves, as otherwise malicious webmasters could just gratuitously use SSL on non-sensitive things like forum posting submission forms and the like not to actually secure users against misuse of their account details but to deny access via proxies so that they could enforce bans on anyone they disagreed with, and in so doing they would also prevent the forum being used in the presence of censorship regimes, e.g. nobody could post from China.

IncrediBILL said...

We can agree on governmental abuses as a reason to use a proxy just for informational purposes, but users have no rights on webmaster sites so there's nothing to trample.

Whether the proxy supports full blown SSL or not is meaningless because you're connecting to a meta server meaning your SSL session is with the proxy, the proxy decodes and has full access to your data, then establishes it's own SSL connection with the destination and passes the information along.

They're evil little sites that are more than ripe for abuse as they are already being used against their visitors.

No need to have a big debate about it because maybe you or I wouldn't pass sensitive details but most of the internet users aren't savvy about what's safe and what's not safe to do.

Case in point, spam wouldn't exist if people didn't make money from spam. Buying from spammers probably isn't wise, the products could be bogus and unsafe, could be a phishing setup for identity fraud or at a minimum to steal your credit card number. Yet after all the warnings and people even know that spamming is illegal, they still buy from spammers.

If they're that naive about spammers the proxy operators have it made in the shade, especially it they're running a low profile proxy, because the end user won't even know where they got ripped off and will blame the actual site they used and not the proxy server.

Anonymous said...

What do you mean by "webmaster sites"?

As for SSL, some browsers provide more information. For example, at this comment submission form it shows "www.blogger.com" and a lock icon at the bottom right. Unless they could forge someone else's cert, a proxy with SSL support would show "www.proxy.com" or whatever instead. There's also of course the address bar. One good idea to make sure users notice this stuff though would be if browsers popped up an alert if you went to make a form submission and the certificate was either a) invalid (strong warning not to submit if there's any sensitive information), b) expired (warning), or c) unfamiliar ("Are you sure you want to submit this information to whosit.com?")

The latter would use the certificate's authenticated identity for the site. So if you did online banking at www.bank.com you'd get one initial alert when submitting a secure form at www.bank.com and say OK, and use it for years. Later if some proxy somehow snuck into the chain you'd suddenly see an alert saying "Are you sure you want to submit this information to www.sneakyproxy.com?" (or some unfamiliar name) and know something was up.

Meanwhile I'll continue to find it cute that Blogger thinks people need 256-bit AES encryption(!) to post anonymous comments to a blog that anyone will be able to read. :)

Anonymous said...

Proxies like privoxy are sometimes used on a LAN or on the same machine as the surfer, rather than being third-party internet sites. These proxies can often pass SSL as well as regular HTTP, too. There's no danger of malicious misuse by the proxy operator in these cases, generally, save maybe a nosy employer spying on employees that go through the proxy on the corporate LAN. There's also no danger of Google crawling through these proxies since they're not internet-visible.

How would you distinguish visitors coming through these proxies or through legitimate anonymizers from ones coming through "bad" proxies?

(Googlebot, or something claiming to be googlebot, coming through any of them is another matter -- block, block, block.)

P.S. I too want to know what you meant by the phrase "webmaster sites". I also want to know what happened to the lively comment thread at "distributed scrape from saix.net"? There were a ton of mostly on-topic comments there that I no longer see. You've previously said that you don't delete on-topic comments. Did you suffer a data loss event? What else might have been affected? Many of your archived postings and their comments are invaluable, even those I disagree with; I hope not much was lost. Is there a chance at data recovery?

IncrediBILL said...

Some those types of proxies aren't what we're talking about.

Any hosted proxy is a potential phish, especially if the server or account gets hacked as many of these are on shared hosting so injected transparent code into the proxy to phish data is pretty trivial.

The only way to stay safe is the steer clear of the proxy unless you own it.

Anonymous said...

Owning the proxy means it can't very well be used for anonymization though. Well, except that if you own a proxy but let others use it and whitewash the origin of everything it does, then you have deniability and can say something was done by one of your users and not by yourself.

I doubt this will help when the object of the game is to work around a repressive regime with a Great Firewall or something like that, though.