|
One of the most successful vectors for gaining
control of customer information and resources is
through man-in-the-middle attacks. In this class of
attack, the attacker situates themselves between the
customer and the real web-based application, and
proxies all communications between the systems. From
this vantage point, the attacker can observe and
record all transactions.
This form of attack is
successful for both HTTP and
HTTPS communications. The
customer connects to the
attackers server as if it was
the real site, while the
attackers server makes a
simultaneous connection to the
real site. The attackers server
then proxies all communications
between the customer and the
real web-based application
server - typically in real-time.
In the case of secure HTTPS
communications, an SSL
connection is established
between the customer and the
attackers proxy (hence the
attackers system can record all
traffic in an unencrypted
state), while the attackers
proxy creates its own SSL
connection between itself and
the real server.
For man-in-the-middle attacks
to be successful, the attacker
must be able to direct the
customer to their proxy server
instead of the real server. This
may be carried out through a
number of methods:
Transparent Proxies
Situated on the same network
segment or located on route to
the real server (e.g. corporate
gateway or intermediary ISP), a
transparent proxy service can
intercept all data by forcing
all outbound HTTP and HTTPS
traffic through itself. In this
transparent operation no
configuration changes are
required at the customer end.
DNS Cache Poisoning
"DNS Cache Poisoning" may be
used to disrupt normal traffic routing by injecting
false IP addresses for key domain names. For
example, the attacker poisons the DNS cache of a
network firewall so that all traffic destined for
the MyBank IP address now resolves to the attackers
proxy server IP address.
URL
Obfuscation
Using URL obfuscation
techniques, the attacker tricks
the customer into connecting to
their proxy server instead of
the real server. For example,
the customer may follow a link
to http://www.mybank.com.ch/
instead of http://www.mybank.com/
Browser Proxy Configuration
By overriding the customers
web-browser setup and setting
proxy configuration options, an
attacker can force all web
traffic through to their
nominated proxy server. This
method is not transparent to the
customer, and the customer may
easily review their web browser
settings to identify an
offending proxy server.
|
