Scovetta Labs Security Advisory

 Title:         Phishing Protection via proxy.pac
 Status:        Public
 Release Date:  2005-02-26

 Package:       Web Browsers
 Priority:      Medium
 Vulnerability: Phishing Attacks


 Phishing attacks have become very common in recent months. Without a
 complete solution, many users can be tricked into revealing their 
 customer information. I describe an approach that can be applied to
 anyone with a web-browser, with very little overhead, and with a very
 fast reaction time to new threats.


 A "proxy.pac" file is a JavaScript file that is executed each time 
 the user loads a web page. It was meant to be used to determine
 whether a URL is on a local network (as opposed to requiring the 
 request pass through a proxy server).

 We can use this functionality to prevent users from visiting known
 "bad" hosts or URLs.

How it Works:

 Below is a simple example of a proxy.pac file, which prevents users
 from visiting the host "".

  * Anti-Phishing Scheme - by Michael Scovetta
  * Scovetta Labs

 var phishIPs = "";  // example of a threat host

 function FindProxyForURL(url, host){
   if (host != null && host.indexOf(phishIPs) != -1)
     return "PROXY";
     return "DIRECT";
 As you can see, when a user accesses a site that is defined in the
 "phishIPs" variable, the function returns the string 
 "PROXY", which tells the web browser to attempt to
 contact the site through a local proxy server, running on port 9999.
 Since the user (most likely) does not have a proxy server running on
 that port, the web browser fails to load the URL.


 Internet Explorer:
   Tools--Internet Options--Connections--LAN Settings
   Click "Use automatic configuration script"
   Set the address to:
   Click OK--OK
   Restart your browser

   Tools--Options--General--Connection Settings
   Click "Automatic proxy configuration URL:"
   Set the address to:
   Click Reload
   Click OK--OK

 Alternatively, you can download the antiphish.pac file from Scovetta
 Labs and access it locally (file://c:/antiphish.pac). 

New Threats:

 The antiphish.pac file will be updated as new "bad" IP addresses
 are discovered. IP addresses will be removed when they are verified
 to be clean.

 In order for this to work, I need the help of the community. Since
 phishers tend to send out many, many emails, you can help by
 reporting IP addresses to me via:
 Alternatively, you can forward the phishing emails to me at:

 As more people use antiphish.pac, I will eventually have it
 automatically update as new IP addresses are discovered.

Revision History
2005-02-26: Public Release [1]


 Credit to Michael V. Scovetta.




 The content of this report is purely informational and meant only 
 for the purpose of education and protection. Scovetta Labs and 
 Michael Scovetta shall in no event be liable for any damage 
 whatsoever, direct or implied, arising from use or spread of this 
 information. All identifiers (hostnames, IP addresses, company names, 
 individual names etc.) used in examples and demonstrations are used 
 only for explanatory purposes and have no connection with any real 
 host, company or individual. In no event should it be assumed that 
 use of these names means specific hosts, companies or individuals 
 are vulnerable to any attacks nor does it mean that they consent to 
 being used in any vulnerability tests. The use of information in 
 this report is entirely at user's risk.

 (c) 2005 Michael Scovetta. Forwarding and publishing of this document 
 is permitted providing the content between "[BEGIN-SCL-REPORT]" and
 "[END-SCL-REPORT]" marks remains unchanged.

=====[END-SCL-REPORT]===== is a personal website. Opinions expressed are my own, and not those of my employer or any groups I am affiliated with.
Page Tools
print Bookmark and Share
Social Networking
twitter delicious digg reddit
linkedin keys email comments