A report by a browser-security company shows that phishing attacks against browsers grew 198% during the second six months of 2023.
Report by Menlo Security.
The report explained that the number of attacks classified as “evasive”, which are browser-based phishing, increased by 206% over the period. They now account for 30% of all browser based phishing, and is based upon threat data and browser metrics from the Menlo Security Cloud. This includes 400 billion web sessions between December 2022 and December 2023.
Neko Papez, Menlo’s Senior Manager of Cybersecurity Strategy, said that phishing attacks have become more sophisticated, using cloaking techniques, impersonation and obfuscation.
He told TechNewsWorld that “Evasive” techniques can make it difficult for traditional phishing tools to detect them, as they rely on signature-based detection or feature extraction techniques.
Papez explained traditional phishing is a simple message or request that plays on a human emotional response like fear. This will be used often in mass phishing campaign.
He said that “evasive phishing” attacks were used as part of a targeted approach, in which hackers employed a variety of techniques to bypass traditional security controls. They also exploited browser vulnerabilities in order to increase their chances of accessing user systems and corporate networks.
Simple and Effective Attack
Roger Neal is the head of product development at Apona SecurityAn application security firm in Roseville (California) agreed that browser-based attacks of phishing are on the rise. They also said that dependency typosquatting is also increasing, in which malicious actors register false or typosquatted names for packages that look similar to those used by legitimate software developers.
He told TechNewsWorld that “these types of attacks” are more common, because they’re easier to execute. “Attackers only need to set the trap and then wait for an unwitting user to make a misstep.”
“Browsers make for easy and effective phishing,” he said. “Users are accustomed to login screens and do not think twice if they come across one. It’s part of web browsing.” Malicious actors prefer this kind of attack due to its high success rate and minimal effort.
Menlo’s report explains that most cyberattacks are launched with some type of phishing lure in order to steal credentials and gain access to corporate software, or to force a takeover.
It continued that phishing is the most popular initial attack vector, because it works. 16% of all global data breaches began with phishing. It added, however, that evasive techniques of phishing have a greater growth rate as they work better and circumvent the traditional security tools.
Ineffective security controls
Neal stated that security controls were less effective in combating browser phishing attacks because they do not involve code injections into infrastructure or servers. Instead, they create a fake log-in page to collect user information. These controls are not designed for detection.
The “human factor” is not always taken into account by security controls.
Ben Chappell (CEO of Apona) explained that these security controls are often ineffective when it comes to browser phishing, because the attacks usually use social engineering tactics which bypass technical defenses.
He told TechNewsWorld: “They are more interested in human weaknesses such as lack of trust or awareness than system vulnerabilities.”
Menlo researchers looked at a 30-day period in the fourth quarter of 2023, as well as a 12-month overview of browser-based attacks. In that period, Menlo researchers discovered that threat actors such as Lazarus Viper Qakbot launched 31,000 browser based phishing campaigns against Menlo’s customers in multiple industries and across regions.
A security tool was unable to detect 11,000 zero-hour attacks because they did not display a digital signature or breadcrumb.
The observed 11,000 zero hour phishing attacks over a period of 30 days, undetectable using traditional security tools highlight the inadequacy legacy measures for evolving threats. Keeper SecurityChicago-based company, which provides online password storage and management, is a leader in the industry.
TechNewsWorld quoted him as saying: “The escalating threats posed by browser-based attacks that are highly evasive is yet another good reason for organizations to prioritize browser security, and implement proactive cybersecurity measures,” “The rapid increase in browser based phishing, especially those using evasive methods, highlights the need for enhanced security.”
Exploiting Trusted Websites
The report noted that browser-based attacks are not being perpetrated by known malicious sites or fly-by night websites. It was reported that 75% of the phishing links were hosted on trusted, classified, or known websites.
It added that phishing is now a problem beyond traditional email and O365. Attackers are increasingly focusing phishing attacks at cloud-sharing applications or web-based platforms, opening additional paths into organizations.
Papez explained that attackers are using trusted domains and cloud-sharing applications like Gdrive or Box to avoid detection. This increases the attack surface and gives attackers access to enterprise applications, which users trust by default in their daily work environment. They have been lucrative phishing avenues, allowing threat actors to host malicious content or password protected files for credential phishing campaign.
The report stated that in addition to evasive techniques, browser-based attacks use automation and gen AI tools for improving the quality and volume of their threats. The attackers are now producing thousands of phishing emails with unique signatures. They contain fewer errors in language, which is a telltale sign for human eyes that can detect these threats even if they evade the traditional controls.
“Generative AI is a weapon that can be used to create highly customized and convincing content, and to generate dynamic, genuine-looking websites, which are harder to detect,” said Kyle Metcalf. Living SecurityThe company is based in Austin, Texas.
TechNewsWorld reported that “the more realistic the site looks, the higher the chances of it fooling the user.”
A Need for More Visibility
Artificial intelligence is not just for creating sketchy websites.
Cybercriminals often register malicious domains with slight variations of the brand name, to make it difficult to visually distinguish the real domain from the legitimate one,” said Luciano Allegro. BforeAi, a threat-intelligence company in Montpellier (France).
He told TechNewsWorld: “Users who see a link they think is safe, click on it and visit a fake site.” “AI helps automate the process by generating huge volumes of adjacent names, automating the theft and creation of legitimate websites.”
Report: Enterprise security is challenged by security tools that rely on traditional endpoint and network telemetry. AI models trained with network-based data are still unable to provide a complete picture of browser traffic because firewalls, secure web gateways and other security solutions do not have visibility into the data.
The weakness in the browser has led to the rapid growth of this attack vector. It continued that without improved visibility of browser-specific telemetry security teams would remain vulnerable to zero hour phishing attacks.