sites on localhost

Anthony Kosednar anthony at cactussrv.com
Sat May 21 12:25:18 MST 2022


Hey,

Institutions do in fact scan local systems and public networks on 
connection to as they say "fight bots" and "malicious/compromised 
users". Here is an example of someone going through and pulling apart 
ebay's use of it: https://blog.nem.ec/2020/05/24/ebay-port-scanning/

They also use information gained from this for fraud factors. Example, 
if you are using a VPN or TOR some of your system information can still 
leak if you have misconfigured settings. See here for an example leak 
test: https://ipleak.net/ . You'll see a lot of the techniques here also 
used on big institutions.

Coming from the corporations.....it is really surprising how much fraud 
can be identified. _Spammers aren't smart_. Even when they use Tor or 
VPN they leak information. The financial institution I work with wants 
to keep TOR and VPNs allowed for connections so they employ stuff like 
this to fingerprint traffic. When someone is switching IPs trying to 
credential stuff or bruteforce our users, it is one of the only ways to 
mass-identify and block.

Many institutions are on the hook for fraud. Many also have a fiduciary 
and regulatory duty to "Know Your Customer" (KYC). Some would rather 
fingerprint than block all risky traffic that they couldnt KYC.

Thanks,

-

Anthony


On 5/20/22 9:20 PM, Michael Butash via PLUG-discuss wrote:
> This is something I posted here a while back, how sites like banks and 
> other financials were making scripted local queries to check for open 
> "services" or ports as referrals to localhost and ports known to be 
> malicious ala some worm or botnet if they should trust you or not.  
> Quick way for them to determine what stupid customers of theirs got 
> got already, and lower your credit score while at it.  While ok, I get 
> it, trust no one, but that's a bit creepy that they're forcing my 
> browser to open sockets to local ports to essentially bypass my 
> firewall, port scan my host, while connecting to their site, and 
> figure no one mostly will notice.
>
> Far as I know ublock and noscript inherently block most of that (it's 
> usually some affiliate credit check firm the bank uses for plausible 
> deniability and blame pointing), but I do this by default for the past 
> ~20 years to notice much.
>
> Such is the world we live in.  Shields up!
>
> -mb
>
>
>
> On Fri, May 20, 2022 at 8:27 PM der.hans via PLUG-discuss 
> <plug-discuss at lists.phxlinux.org> wrote:
>
>     moin moin,
>
>     once in a while I run into a site trying to make JavaScript or XHR
>     connections to localhost.
>
>     What are they doing?
>
>     Are they setting up backdoor tunnels on localhost?
>
>     Are they trying to run a daemon out of the browser?
>
>     Are they trying to escape the sandbox and exfiltrate data?
>
>     ciao,
>
>     der.hans
>     -- 
>     # https://www.LuftHans.com <https://www.LuftHans.com>
>     https://www.PhxLinux.org <https://www.PhxLinux.org>
>     #  Eternal vigilance is the price of liberty. -- Thomas Jefferson
>     ---------------------------------------------------
>     PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>     To subscribe, unsubscribe, or to change your mail settings:
>     https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20220521/b0743e4f/attachment.html>


More information about the PLUG-discuss mailing list