According to a survey by a browser security company, phishing attacks on browsers increased 198% during the first half of 2023 and skyrocketed during the second half of the year.
Furthermore, according to the Menlo Security research, phishers are increasingly employing misleading strategies in their operations, which are proving to be quite successful in circumventing the security measures meant to shield businesses from cyberattacks.
The analysis, which is based on threat data and browser telemetry from the Menlo Security Cloud, encompassing 400 billion online sessions from December 2022 to December 2023, noted that assaults labeled as “evasive” increased 206% throughout the period and are currently 30% of all browser-based phishing attempts.
According to Menlo Senior Manager for Cybersecurity Strategy Neko Papez, “Phishing attacks are becoming more sophisticated with the use of cloaking, impersonation, obfuscation, and dynamic code generation.”
He told TechNewsWorld, “Evasive techniques make it challenging for traditional phishing detection tools to detect evasive pages relying on signature-based or classic feature extraction techniques.”
According to Papez, a typical phishing attack has a straightforward request or notification message that preys on a fearful human feeling and is frequently employed in large-scale phishing operations.
In order to circumvent conventional security measures and take advantage of browser vulnerabilities, hackers utilize a variety of tactics, including invasive phishing assaults, to enhance their chances of breaking into user PCs or corporate networks, according to the expert.
Easy to Use and Successful Attack
Browser-based phishing attacks are becoming more common, according to Roger Neal, head of product at Roseville, California-based Apona Security, an application security company. Another growing trend is dependency typosquatting, in which malevolent actors register fictitious or typosquatted package names that resemble real packages used in software development.
He told, “These attacks are becoming more common because it’s easier to execute than finding an outdated component or injection point.” “All attackers have to do is set up the trap and wait for a user to slip up.”
According to him, phishing assaults on browsers are appealing due to their ease of use and efficacy. Because login screens are common while web browsing, users frequently pass them by without a second thought. Malicious actors choose this type of assault since it is very effective with little effort.
According to Menlo’s analysis, many intrusions begin with a phishing bait in order to get credentials, access business applications, and force an account takeover.
According to the source, phishing is the most often used initial attack vector; in fact, 16% of all worldwide data breaches begin with this tactic. It did note, though, that evasive phishing techniques are growing more quickly since they bypass conventional security systems and function even better.
Inadequate Security Measures
Because browser phishing assaults don’t need code injection into servers or infrastructure, security safeguards are less effective against them, according to Neal. Instead, they often include fabricating a phony login page in order to obtain user data, which is beyond the scope of these protections.
Furthermore, the “human element” is not always taken into consideration by security measures.
According to Ben Chappell, CEO of Apona, “these security controls can be ineffective against browser phishing attacks because such attacks often use social engineering tactics that bypass technical defenses.”
He told, “They exploit human vulnerabilities, such as trust or lack of awareness, rather than system vulnerabilities.”
Researchers from Menlo University examined browser-based phishing for a full year in addition to a 12-month period in the latter quarter of 2023. In that period, they found that threat actors such as Lazarus, Viper, and Qakbot had executed 31,000 browser-based phishing attacks against Menlo clients in various sectors and geographical locations.
Furthermore, 11,000 of those assaults were classified as “zero hour” attacks as they lacked any digital signature or trail that a security program might identify and prevent.
He told, “Organizations must prioritize browser security and deploy proactive cybersecurity measures due to the escalating threat landscape posed by highly evasive browser-based attacks.” “There is an urgent need for enhanced protection as evidenced by the rapid rise in browser-based phishing attacks, particularly those that use evasive tactics.”
Making Use of Reliable Websites
The research also mentioned that recognized malicious websites or phony fly-by-night websites are not the source of the recent increase in browser-based assaults. It went on to say that 75% of phishing URLs are really hosted on well-known, reputable websites.
It further said that phishing has spread outside of the conventional email or O365 pathways, thus exacerbating the issue. Phishing attackers are concentrating their efforts on web-based apps and cloud-sharing platforms, creating new entry points into businesses.
Papez said, “To avoid detection, attackers use cloud-sharing platforms and web applications like Gdrive or Box with trusted domains.” As a result, attackers have a larger area to exploit and may make use of corporate apps, which users naturally trust in their daily work environment. Threat actors now use these profitable phishing routes to post harmful information or files encrypted with a password during credential phishing operations.
The research mentioned that browser-based assaults are employing automation and general artificial intelligence (gen AI) technologies in addition to evasive strategies to increase the volume and quality of their threat activity. Thousands of phishing assaults with distinct threat signatures are now produced by attackers. If these do manage to elude conventional safeguards, it will be easier for humans to identify them since they have less linguistic faults.
“Weaponizing generative AI can produce highly personalized and convincing content as well as dynamic, authentic-looking websites that are much more difficult to find,” stated Kyle Metcalf, a security strategist with Austin, Texas-based Living Security, a cybersecurity training firm.
According to him, a website has a higher possibility of tricking a user if it appears more lifelike.
Increased Visibility Is Required
Still, artificial intelligence isn’t limited to making shady websites.
“In order to make it visually difficult to distinguish from the legitimate brand, cybercriminals often register malicious domains using slight variations on the proper name,” said Luciano Allegro, co-founder and CMO of Montpellier, France-based BforeAi, a threat intelligence business.
“People who come across what seems to be a secure link click on it to visit a fake website,” he said. “AI helps automate this process by producing large volumes of neighboring names, automating asset theft, and creating authentic websites.”
According to the paper, the problem with business security is that security technologies continue to depend solely on conventional endpoint telemetry and network signals. The absence of insight into browser telemetry by firewalls and secure web gateways causes even AI models trained on network-based data to perform poorly.
It went on to say that this vulnerability has fueled the expansion of the browser attack vector. If browser-specific telemetry is not more visible, security teams will continue to be vulnerable to zero-hour phishing assaults.
