Odd connections from Browser to router when on banking site

General discussions about Little Snitch
Post Reply
ScreamingPict
Posts: 7
Joined: Thu Jan 17, 2013 7:17 pm

Odd connections from Browser to router when on banking site

Post by ScreamingPict » Sun Aug 17, 2014 5:31 pm

Hi,

Long time user of LS. I've found it incredibly useful for some time. However today is the first time that it flagged up something that gave me pause.

I went to my Bank's online banking website and started to get odd connections.

About once every few pages I loaded on the site (including the login page) I would suddenly get LS catching my browser trying to connect to a random, high numbered port on my router (Draytek 2820 IPPBX). I have checked the developer logs on the web page and it showed failed connections to several IP addresses (including my cable modem- which is in bridge mode on the other side of my router) to https://a.b.c.d:xxxxx/NonExistentImageyyyyy.gif where a.b.c.d is an IP address, xxxxx and yyyyy are random numbers with 5 digits.

I'm using Safari and connecting to the Royal Bank of Scotland's Direct Banking site.

I am not getting such warnings when I go to the Amex website, so it's possible that it's just a poorly implemented update to my bank's site, but it seems very odd.

Anyone got any ideas for debugging tips that I can use to help me track this down?

Thanks in advance.

ScreamingPict
Posts: 7
Joined: Thu Jan 17, 2013 7:17 pm

Re: Odd connections from Browser to router when on banking s

Post by ScreamingPict » Sun Aug 17, 2014 6:08 pm

Hmm- seems that this is happening on my other Mac (that I rarely use) as well, and still only on the RBS site. Am wondering if they've messed up something on their page.

rsblanchard
Rank 3
Rank 3
Posts: 116
Joined: Mon Jul 02, 2007 9:25 am

Re: Odd connections from Browser to router when on banking s

Post by rsblanchard » Sat Sep 20, 2014 2:53 pm

Banks have been known to activate your web-cam (unbeknownst to you) via sneaky Safari-Plug-ins, so that THEY are protected against fraud (ALWAYS cover your webcam, when not in use ! ) .
These plug-ins DO NOT show-up as a file under the standard "/Libarary/Internet Plug-Ins" directory, but can be manually controlled with Safari's "Preferences" for cookies.
I suggest that you go on mozilla.org , and download Firefox, instead .
Safari has been known to conduct scrambled extracurricular activities to internet-"destination"-port 80, of IPv4-addr=209.53.113.223 ( search.namequery.com / m223.absolute.com ) , which is embedded DEEP within the BIOS, and CANNOT be blocked, even with L.S. .
If a internet-"source"-port connection is "incoming" to your Mac, it will usually be on a TCP, or UDP, Port-number that is 49152 (decimal), or higher -- the local-(incoming)-"destination"-port will be lower than, or equal-to 49151.

:twisted:
Last edited by rsblanchard on Sun Oct 19, 2014 12:41 am, edited 2 times in total.

security-conscious
Posts: 4
Joined: Sun Jun 10, 2012 11:54 pm

Re: Odd connections from Browser to router when on banking s

Post by security-conscious » Mon Sep 22, 2014 2:28 am

Today, for the first time, I saw the same behavior on the website for Capital One: http://www.capitalone.com

Using several different browsers, I found that LS blocked attempts at connecting to a seemingly random high numbered port associated with the ip address for my router.

Seems improbable that this has to do with activating my camera, but might be some new security measure that banks are adopting.

security-conscious
Posts: 4
Joined: Sun Jun 10, 2012 11:54 pm

Re: Odd connections from Browser to router when on banking s

Post by security-conscious » Thu Sep 25, 2014 2:55 pm

Does anyone have a conjecture about why a banking website would try to establish a connection to a random port on the host ip address?

hagen
Wizard
Wizard
Posts: 594
Joined: Mon Feb 18, 2008 11:05 pm

Re: Odd connections from Browser to router when on banking s

Post by hagen » Fri Sep 26, 2014 5:37 am

I can do conjecture, or something. :mrgreen:

I visited Capital One with three different browsers. Opera and Epic asked for this high-port TCP connection, but SeaMonkey interestingly did not, unless I changed a javascript detail to allow JS to "change images". I don't know what that means. SeaMonkey also didn't show the large changing-image ad on the right-hand side of the page.

It's an outgoing connection from browser to local network, obviously directed by site JS coding from Cap One. I don't know what it's trying to do, but I normally don't worry about that question. I would just block it and see what happens. If nothing breaks, the connection wasn't needed so continue to block it. Or, if something no longer works then that reveals what it's for.

security-conscious
Posts: 4
Joined: Sun Jun 10, 2012 11:54 pm

Re: Odd connections from Browser to router when on banking s

Post by security-conscious » Wed Oct 01, 2014 7:26 pm

Thx!

ScreamingPict
Posts: 7
Joined: Thu Jan 17, 2013 7:17 pm

Re: Odd connections from Browser to router when on banking site

Post by ScreamingPict » Sun Mar 15, 2015 1:19 am

I'm still seeing this behaviour and haven't yet got to the bottom of it.

However one thing it could be doing is testing my router for known flaws. i.e. if there are routers out there that have been compromised with DNS highjack attacks, maybe the websites are probing ports that are known to forward traffic when compromised.

Ah well. I'm sure one day we'll find out what's going on.

ScreamingPict
Posts: 7
Joined: Thu Jan 17, 2013 7:17 pm

Re: Odd connections from Browser to router when on banking site

Post by ScreamingPict » Sun Mar 15, 2015 1:30 am

Oh- interesting analysis on what's going on here. Appears that it's probably your bank trying to 'fingerprint' your browser. Cheeky.

hagen
Wizard
Wizard
Posts: 594
Joined: Mon Feb 18, 2008 11:05 pm

Re: Odd connections from Browser to router when on banking site

Post by hagen » Sun Mar 15, 2015 5:12 am

That's interesting. If they are fingerprinting the browser, it could be a misguided attempt to verify you are indeed the logged-in one. Chase bank does something like that, but the way they do it is invisible from here.

If anyone is interested in testing their browser's fingerprint tracks, here's the link https://panopticlick.eff.org/

Post Reply