Open Proxy Servers Lead to some Top Web Attacks

A research by WASC (Web Application Security Consortium) has found that click-through and advertising fraud is presently the top malicious activity within the traffic from open proxy servers, with junk e-mails coming in as the next top attack.

Servers with open proxies often help scammers and attackers to hide their tracks when they pass malicious traffic through them making detection and identification of attacks difficult. The miscreants, according to WASC, use the servers to protect their anonymity while presenting their requests on the Web.

During the early stage of its Distributed Open Proxy Honeypot Project in January 2007, WASC found that from a total of nine million Web requests that its Honeynet received, around two million were characterized with malicious and known attacks, or with some new distrustful behavior.

Also, traffic comprising of click fraud used to manipulate Web ad results obtained by clicking, was responsible for malicious activity from 2.6 Million requests during October 2007. Comparing this to January-April 2007, there were 158,000 requests during those months.

The other malicious activity that followed from Web requests was spam with almost two million requests. This compared a little beyond 109,600 requests in January-April 2007. In this, a majority of the Web attacks happened without user interaction or were automated.

Among the attacks that WASC's Honeypots measured, those that inserted malicious JavaScript into genuine Websites were the most sever ones. Legitimate sites distorted with such JavaScript code enable an attacker to target browsers with unpatched vulnerabilities and subsequently install malware onto the user's affected system. Sometimes, the malicious JavaScript code is implanted to exploit known flaws in browsers, again to install malware onto victims' computers.

WASC's project also detected a widespread scan crafted to hack into e-mail accounts of a widely used ISP. The scan, which uses the method of 'distributed reverse brute force authentication', was spread over a large number of individual hosts of e-mail authentication for the attacks to bypass detection.

A hacker who is unable to access users' e-mail accounts by waging the scan attack could still harvest a lot of active accounts that he might use for delivering spam mails to.

Related article: Open SSL Flaw Invites Forgery

» SPAMfighter News - 12/5/2007