Hey,
Institutions do in fact scan local systems and public networks on
connection to as they say "fight bots" and "malicious/compromised
users". Here is an example of someone going through and pulling
apart ebay's use of it:
https://blog.nem.ec/2020/05/24/ebay-port-scanning/
They also use information gained from this for fraud factors. Example, if you are using a VPN or TOR some of your system information can still leak if you have misconfigured settings. See here for an example leak test: https://ipleak.net/ . You'll see a lot of the techniques here also used on big institutions.
Coming from the corporations.....it is really surprising how much fraud can be identified. Spammers aren't smart. Even when they use Tor or VPN they leak information. The financial institution I work with wants to keep TOR and VPNs allowed for connections so they employ stuff like this to fingerprint traffic. When someone is switching IPs trying to credential stuff or bruteforce our users, it is one of the only ways to mass-identify and block.
Many institutions are on the hook for fraud. Many also have a
fiduciary and regulatory duty to "Know Your Customer" (KYC). Some
would rather fingerprint than block all risky traffic that they
couldnt KYC.
Thanks,
-
Anthony
This is something I posted here a while back, how sites like banks and other financials were making scripted local queries to check for open "services" or ports as referrals to localhost and ports known to be malicious ala some worm or botnet if they should trust you or not. Quick way for them to determine what stupid customers of theirs got got already, and lower your credit score while at it. While ok, I get it, trust no one, but that's a bit creepy that they're forcing my browser to open sockets to local ports to essentially bypass my firewall, port scan my host, while connecting to their site, and figure no one mostly will notice.
Far as I know ublock and noscript inherently block most of that (it's usually some affiliate credit check firm the bank uses for plausible deniability and blame pointing), but I do this by default for the past ~20 years to notice much.
Such is the world we live in. Shields up!
-mb
On Fri, May 20, 2022 at 8:27 PM der.hans via PLUG-discuss <plug-discuss@lists.phxlinux.org> wrote:
moin moin,
once in a while I run into a site trying to make JavaScript or XHR
connections to localhost.
What are they doing?
Are they setting up backdoor tunnels on localhost?
Are they trying to run a daemon out of the browser?
Are they trying to escape the sandbox and exfiltrate data?
ciao,
der.hans
--
# https://www.LuftHans.com https://www.PhxLinux.org
# Eternal vigilance is the price of liberty. -- Thomas Jefferson
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
--------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: https://lists.phxlinux.org/mailman/listinfo/plug-discuss