Attacks on browsers by phishing actors ballooned during the second half of 2023, increasing 198% over the first six months of the year, according to a report by a browser security company.
What’s more, phishers are increasingly using deceptive tactics in their attacks that are proving to be highly effective against the security controls designed to protect organizations from cyberattacks, noted the report by Menlo Security.
Attacks classified as “evasive” rose 206% during the period and are now 30% of all browser-based phishing attacks, explained the report, which is based on threat data and browser telemetry from the Menlo Security Cloud, including 400 billion web sessions from December 2022 to December 2023.
“Phishing attacks are becoming more sophisticated with the use of cloaking, impersonation, obfuscation, and dynamic code generation,” said Menlo Senior Manager for Cybersecurity Strategy Neko Papez.
“Evasive techniques make it challenging for traditional phishing detection tools relying on signature-based or classic feature extraction techniques to detect evasive pages,” he told TechNewsWorld.
Papez explained that traditional phishing uses a simple request or notification message that typically plays on a human emotion like fear and will often be used in mass phishing campaigns.
“Evasive phishing attacks are used in a more targeted approach in which hackers employ a range of techniques meant to evade traditional security controls and exploit browser vulnerabilities to increase the likelihood of gaining access to user systems or corporate networks,” he said.
Simple and Effective Attack
Roger Neal, head of product at Apona Security, an application security company in Roseville, Calif., agreed that browser-based phishing attacks are on the rise, along with dependency typosquatting, where malicious actors register fake or typo-squatted package names that are similar to legitimate packages used in software development.
“These types of attacks are becoming more common because they are easier to execute than finding an outdated component or injection point,” he told TechNewsWorld. “Attackers just need to set up the trap and wait for a user to make a mistake.”
“Browsers are attractive for phishing attacks because those attacks are simple and effective,” he added. “Users often don’t think twice when they see a login screen, as it’s a regular occurrence in web browsing. This kind of attack has a high success rate with minimal effort, making it preferred by malicious actors.”
Many cyberattacks start with some form of a phishing lure to steal credentials, gain access to corporate applications, and force an account takeover, Menlo’s report explained.
Phishing is the most common initial attack vector because it works, it continued, with 16% of global data breaches starting with phishing. However, it added that evasive phishing techniques have a higher growth rate because those methods work even better and circumvent traditional security tools.
Ineffective Security Controls
“Security controls are less effective against browser phishing because these attacks don’t involve code injection into servers or infrastructure,” Neal said. “Instead, they usually involve creating a fake login page to capture user information, which these controls are not designed to detect.”
Moreover, security controls can’t always account for the “human element.”
“These security controls can be ineffective against browser phishing attacks because such attacks often use social engineering tactics that bypass technical defenses,” explained Apona CEO Ben Chappell.
“They exploit human vulnerabilities, such as trust or lack of awareness, rather than system vulnerabilities,” he told TechNewsWorld.
In addition to a 12-month view of browser-based phishing, Menlo researchers took a more detailed look at one 30-day period during the last quarter of 2023. During that time, they discovered 31,000 browser-based phishing attacks were launched against Menlo customers across multiple industries and regions by threat actors that included Lazarus, Viper, and Qakbot.
Moreover, 11,000 of those attacks were “zero hour” attacks that displayed no digital signature or breadcrumb that a security tool could detect so the attack could be blocked.
“The observed 11,000 zero-hour phishing attacks in a 30-day period, undetectable by traditional security tools, emphasize the inadequacy of legacy measures against evolving threats,” said Patrick Tiquet, vice president for security and architecture at Keeper Security, a password management and online storage company, in Chicago.
“The escalating threat landscape posed by highly evasive browser-based attacks is yet another reason organizations must prioritize browser security and deploy proactive cybersecurity measures,” he told TechNewsWorld. “The rapid surge in browser-based phishing attacks, especially those employing evasive tactics, highlights the urgent need for enhanced protection.”
Exploiting Trusted Websites
The report also noted that the surge of browser-based attacks is not coming from known malicious or spurious fly-by-night sites. In fact, it continued, 75% of phishing links are hosted on known, categorized, or trusted websites.
To complicate the problem further, it added, phishing has expanded beyond the traditional email or O365 paths. Attackers are focusing their phishing attacks on cloud-sharing platforms or web-based applications, opening up additional pathways into organizations.
“Attackers use cloud-sharing platforms and web applications such as Gdrive or Box with trusted domains to avoid detection,” Papez explained. “This expands the attack surface for attackers and allows them to leverage enterprise applications that users inherently trust in their everyday work setting. These have become lucrative phishing avenues for threat actors for hosting malicious content or password-protected files in credential phishing campaigns.”
In addition to evasive tactics, the report noted that the browser-based attacks are using automation and gen AI tools to improve the quality and the volume of their threat action. Attackers now produce thousands of phishing attacks with unique threat signatures. These contain fewer language errors, the tell-tale sign that enables human eyes to spot these threats if they do evade traditional controls.
“Generative AI can be weaponized to create highly personalized and convincing content and generate dynamic, legitimate-looking websites that are much harder to detect,” said Kyle Metcalf, a security strategist with Living Security, a cybersecurity training company in Austin, Texas.
“The more realistic the website looks, the better the chance it has to trick the user,” he told TechNewsWorld.
More Visibility Needed
Artificial intelligence can be used for more than creating sketchy websites, however.
“Cybercriminals frequently register malicious domains using slight variations on the proper name to make it visually hard to distinguish from the proper brand,” explained Luciano Allegro, co-founder and CMO of BforeAi, a threat intelligence company in Montpellier, France.
“Users seeing a link that appears safe click on it to visit a cloned site,” he told TechNewsWorld. “AI helps automate this process, generating massive volumes of adjacent names and automating the theft of assets and the creation of legitimate sites.”
The challenge for enterprise security stems from security tools still relying on classic network signals and traditional endpoint telemetry alone, the report noted. Even AI models trained on network-based telemetry fall short because firewalls and secure web gateways lack visibility into browser telemetry.
This weakness has spurred the growth of the browser attack vector, it continued. Without improved visibility into browser-specific telemetry, security teams will remain exposed to zero-hour phishing attacks.