Researchers study open-proxy attacks

Advertising and click-through fraud is currently topping the list of malicious activity funnelled through open proxy servers, followed by junk e-mail, according to a research project deploying fake open proxies to catch crooks.

The research was carried out by the Web Application Security Consortium (WASC) using a network of virtual Apache proxy servers running on VMware and deploying an array of tools to identify, log and block traffic. The project started off with servers in seven countries in January, and has now expanded into 14 countries.

Open proxies are a frequent means by which attackers and scammers cover their tracks, making such traffic difficult to identify and trace. The WASC's approach gives researchers an insight into exactly what is passing through such servers.

When malicious traffic is identified, the honeypot servers block it and feed spoofed information back to the attackers, such as HTTP status codes, according to Ryan Barnett, director of application security training for Breach Security and head of the WASC's Distributed Open Proxy Honeypots project.

Click fraud traffic, employed to distort results from click-throughs to Web ads or other commercial links, led malicious activity during the month of October, with 2.6 million requests. That compares to 158,000 requests for the entirety of the January-April period.

Spam followed with nearly two million requests, compared to slightly more than 109,600 in January-April. Most of the attacks are automated, WASC said.

The most serious attacks measured by the WASC's honeypots were designed to implant malicious Javascript code into often legitimate Web sites. Malicious Javascript is often used to exploit known browser flaws, in order to install malware onto client machines.

The project also noted an extensive scan designed to break into the e-mail accounts of a popular Internet service provider.

The scan, using a method called distributed reverse brute force authentication, is distributed across hundreds of unique e-mail authentication hosts in order to evade detection.

The technique involves checking a large number of different e-mail usernames to see if they match specific common passwords. By "cracking" the username rather than the password, the attackers can evade many ordinary security defenses.

Even if the attack doesn't allow the attackers to break into e-mail accounts, it yields a list of valid e-mail accounts that can be used for spamming purposes.

Techworld is an InfoWorld affiliate.