A Proxy Auto-Configuration (PAC) file is a text file with a set of instructions (in JavaScript) telling a web browser whether to send traffic through a proxy server or not, if a certain condition is met. For example, you could direct a browser to use a proxy server every time the “” URL is requested, but for all other URLs, the browser is instructed to go directly to the website.

The PAC file format was originally designed by Netscape in 1996 for their web browser, Netscape Navigator 2.0 and since then, all web browsers and nearly all operating systems have built-in features to be able to utilise PAC files to direct web traffic.

How PAC files are legitimately used

Universities and other large organisations use PAC files for purposes such as restricting the types of websites their students or staff can access. For example, a proxy server may be setup and a PAC file created, which stops users from accessing illicit websites. All URL requests would be re-directed through the proxy server, except for internal communications.

The big advantage of PAC files is that they are usually relatively easy to create and maintain. A University may wish to redirect traffic through a particular proxy server, if maintenance is being done on their network. It can be likened to giving someone directions to the closest petrol station, and instructing them to use back streets, instead of the main highway. The destination will still be reached, however the route used is different.

You can also filter URLs and use the PAC file as a simple anti-ad or anti-pornography filter on a PC or smart phone.

What are malicious PAC files?

Whilst it is not a very common type of cyber-attack compared to phishing, malicious PAC files are quite insidious, and most people don’t realise that these types of files can be abused. Because of the very nature of what PAC files do (redirect certain web traffic to certain servers); they can be abused by cyber-criminals.

Microsoft Word documents can legitimately incorporate macros to automate content; however, macros can also be used to distribute viruses. Similarly PAC files can have their legitimate use hijacked by hackers and used to redirect users to malicious websites.

An attack using PAC files always has two stages:

  • Stage 1: the PAC file itself, with the instructions on how to redirect particular internet traffic;
  • Stage 2: the malicious proxy server that the web browser is routed through. In other words, the PAC file that points you somewhere it shouldn’t.

The attack can target multiple domains at one time. Generally, cyber-criminals don’t set up one PAC file to only target one bank. The same PAC file can target 50 different websites. The instructions provide a list of multiple URLs which are to be redirected to a malicious proxy server and then stipulate that everything else bypasses the proxy server.

How are malicious PAC files distributed?

Email is the common distribution method of a number of cyber-attacks. The malicious PAC file may be automatically deployed via malware or the email may simply contain a set of instructions that trick a user into changing their browser settings to use the malicious PAC file. For instance, the email might say, “Change these browser settings to watch Netflix for free”.

The Auto Proxy settings need to be changed to instruct the web browser to use a different PAC file.

Connection Settings for Firefox web browser

 How to eliminate a PAC file attack

It can be difficult to detect a PAC file attack. Malicious PAC files are often encrypted to hide what the file is doing, so the actual PAC file looks like gibberish if you open it. However it can be decoded to work out what instructions the PAC file holds. FraudWatch International often decrypts these files for their clients, to determine which PAC files or proxy servers need to be taken down.

Once the correct files and servers have been determined, the PAC file is taken offline, therefore stopping the redirection of URLs to the malicious proxy server. To complete the process, the malicious proxy server needs to be taken down as well.