Session Hijack

dansk · June 15, 2018, 3:55am

Hello,

This may not be the most appropriate thread for this. However, it is the only one I could locate that was reasonably close.

You may wish to know that the Comodo Dragon browser has had its session hijacked by a fraudulent Windows “Rescue” site twice now in as many weeks.

Please see the attached file for further details. The system is Win10 Home, and the browser, which I run only in Incognito mode, is Version 66.0.3359.117 (32-bit).

Thank you

EricCryptid · June 15, 2018, 12:18pm

Hi Dansk,

These type of pages are scams and designed to try and scare you into ringing them, handing over money or paying for hacked virus protection from some other company at an extortionate rate. Normally adblockers like uBlock or AdblockPlus stops these pages loading. The new Comodo Online Security extension and CIS Webfilter should also be picking these bad sites up but it’s probably not a known blacklist url. You can enable COS addon for Incognito mode in the Addon settings in Dragon.

At any rate, your information isn’t compromised, it’s just a scam page which was probably a redirected page from a site that has been hacked or is just a front.

Eric

dansk · April 17, 2019, 5:18pm

Hi Eric,

Typically the scam starts after you accept the offer. You can see that the address in the modal window does not match the address in the address bar. It is not associated with Microsoft, but a mock up of a site that supposedly is.

These are redirects from legitimate sites that were occurring here. The question is why is the browser allowing redirects, and particularly ones to malicious domains? As a matter of good security any DNS requests to redirect should be examined prior to being allowed.

Being this is a branded browser the issue should be given top priority.

Cheers

Citizen_K · April 17, 2019, 6:34pm

Protecting against malicious websites through DNS servers is a detection based approach. It means that it will run behind the facts by its concept. One could debate the efficacy of various DNS servers but the fact remains that detection gets added after it was discovered. I can’t make it any more beautiful than it is. :-\

dansk · April 17, 2019, 11:00pm

@EricJH, yes. As a sysadmin I am aware how DNS works. However, it is entirely possible to prevent DNS requests to malicious websites from occurring. I’ve been using various technologies and methods for years to do just this. But, as a secure browser just how secure is it if it cannot prevent redirection to malicious websites? One assumes that a secure browser has security built in, and particularly so when used in conjunction with Comodo secure DNS. :-\

Citizen_K · April 17, 2019, 11:28pm

What other techniques than using a DNS service with filtering have you been using? That must have been at a different level than the browser and more shifted toward the system it’s self. Which techniques do you think could be implemented in a browser?

dansk · April 17, 2019, 11:47pm

On the server level, the corporate level, or for home use?

Citizen_K · April 17, 2019, 11:49pm

Let me rephrase the question. Are there techniques that you think are eligible to be used in a browser?

dansk · April 18, 2019, 12:37am

When we do these for corporate we go through a hardening and testing process. In that environment you can use a local ACL list, and there are various firewall appliances If you want to keep it simple why not use the Netcraft extension? Since the browser is based upon Firefox now, and they just went through a major remake with an emphasis on security, I would assume this is built in.

You can test various configurations here: https://www.netcraft.com/security-testing/web-application. At the browser level you can also force connections to known DNS servers, perhaps by building in a forwarding proxy. You can use DNS encryption services, and configure it to use a forwarding proxy hard coded into the browser. I’m certain there are many additional methods as well.

Are you responsible for the design of this product, or just asking out of curiosity?

Citizen_K · April 18, 2019, 3:52pm

I am asking out of curiosity. Moderators are volunteers; we are end users with a badge. Comodo employees can be recognized by the Staff avatar.

dansk · April 19, 2019, 12:23pm

Check https://www.frontmotion.com/. It can be managed through AD.

jay2007tech · April 23, 2019, 8:00pm

Check https://www.frontmotion.com/. It can be managed through AD.

It basicly a tool for software repacking for simplified installing to be rolled out at workstations. Like taking nero burning rom as an example. Strip out the stuff not going to be used , remove the tracking code, and add the necessary visual c+packages and features . Also on workstations msi installers are popular because it has full rollback, no need to worry about temporary admin rights and more.

Thats pretty much a rough idea, but it’s a little more to it than that

Anyway

The question is why is the browser allowing redirects

crooks trick legitimate companys to run there malicious ads (Yes that a problem in the ad industry). If the admin doesn't want redirections on the browser to be allowed or just wanted redirections to be allowed on a limited bases, there are extensions available to do that job. Some are more granular then others. But thats up the admin or whoever is in charge.