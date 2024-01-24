Cybersecurity

Internet

See all Internet

IT

See all IT

Mobile Tech

See all Mobile Tech

Security

See all Security

Technology

See all Technology

Newsletters

See all Newsletters

Browser-Based Phishing Attacks Jump 198% in Second Half of 2023

browser-based phishing attacks

Attacks on browsers by phishing actors ballooned during the second half of 2023, increasing 198% over the first six months of the year, according to a report by a browser security company.

What’s more, phishers are increasingly using deceptive tactics in their attacks that are proving to be highly effective against the security controls designed to protect organizations from cyberattacks, noted the report by Menlo Security.

Attacks classified as “evasive” rose 206% during the period and are now 30% of all browser-based phishing attacks, explained the report, which is based on threat data and browser telemetry from the Menlo Security Cloud, including 400 billion web sessions from December 2022 to December 2023.

“Phishing attacks are becoming more sophisticated with the use of cloaking, impersonation, obfuscation, and dynamic code generation,” said Menlo Senior Manager for Cybersecurity Strategy Neko Papez.

“Evasive techniques make it challenging for traditional phishing detection tools relying on signature-based or classic feature extraction techniques to detect evasive pages,” he told TechNewsWorld.

Papez explained that traditional phishing uses a simple request or notification message that typically plays on a human emotion like fear and will often be used in mass phishing campaigns.

“Evasive phishing attacks are used in a more targeted approach in which hackers employ a range of techniques meant to evade traditional security controls and exploit browser vulnerabilities to increase the likelihood of gaining access to user systems or corporate networks,” he said.

Simple and Effective Attack

Roger Neal, head of product at Apona Security, an application security company in Roseville, Calif., agreed that browser-based phishing attacks are on the rise, along with dependency typosquatting, where malicious actors register fake or typo-squatted package names that are similar to legitimate packages used in software development.

“These types of attacks are becoming more common because they are easier to execute than finding an outdated component or injection point,” he told TechNewsWorld. “Attackers just need to set up the trap and wait for a user to make a mistake.”

“Browsers are attractive for phishing attacks because those attacks are simple and effective,” he added. “Users often don’t think twice when they see a login screen, as it’s a regular occurrence in web browsing. This kind of attack has a high success rate with minimal effort, making it preferred by malicious actors.”

Many cyberattacks start with some form of a phishing lure to steal credentials, gain access to corporate applications, and force an account takeover, Menlo’s report explained.

Phishing is the most common initial attack vector because it works, it continued, with 16% of global data breaches starting with phishing. However, it added that evasive phishing techniques have a higher growth rate because those methods work even better and circumvent traditional security tools.

Ineffective Security Controls

“Security controls are less effective against browser phishing because these attacks don’t involve code injection into servers or infrastructure,” Neal said. “Instead, they usually involve creating a fake login page to capture user information, which these controls are not designed to detect.”

Moreover, security controls can’t always account for the “human element.”

“These security controls can be ineffective against browser phishing attacks because such attacks often use social engineering tactics that bypass technical defenses,” explained Apona CEO Ben Chappell.

“They exploit human vulnerabilities, such as trust or lack of awareness, rather than system vulnerabilities,” he told TechNewsWorld.

In addition to a 12-month view of browser-based phishing, Menlo researchers took a more detailed look at one 30-day period during the last quarter of 2023. During that time, they discovered 31,000 browser-based phishing attacks were launched against Menlo customers across multiple industries and regions by threat actors that included Lazarus, Viper, and Qakbot.

Moreover, 11,000 of those attacks were “zero hour” attacks that displayed no digital signature or breadcrumb that a security tool could detect so the attack could be blocked.

“The observed 11,000 zero-hour phishing attacks in a 30-day period, undetectable by traditional security tools, emphasize the inadequacy of legacy measures against evolving threats,” said Patrick Tiquet, vice president for security and architecture at Keeper Security, a password management and online storage company, in Chicago.

“The escalating threat landscape posed by highly evasive browser-based attacks is yet another reason organizations must prioritize browser security and deploy proactive cybersecurity measures,” he told TechNewsWorld. “The rapid surge in browser-based phishing attacks, especially those employing evasive tactics, highlights the urgent need for enhanced protection.”

Exploiting Trusted Websites

The report also noted that the surge of browser-based attacks is not coming from known malicious or spurious fly-by-night sites. In fact, it continued, 75% of phishing links are hosted on known, categorized, or trusted websites.

To complicate the problem further, it added, phishing has expanded beyond the traditional email or O365 paths. Attackers are focusing their phishing attacks on cloud-sharing platforms or web-based applications, opening up additional pathways into organizations.

“Attackers use cloud-sharing platforms and web applications such as Gdrive or Box with trusted domains to avoid detection,” Papez explained. “This expands the attack surface for attackers and allows them to leverage enterprise applications that users inherently trust in their everyday work setting. These have become lucrative phishing avenues for threat actors for hosting malicious content or password-protected files in credential phishing campaigns.”

In addition to evasive tactics, the report noted that the browser-based attacks are using automation and gen AI tools to improve the quality and the volume of their threat action. Attackers now produce thousands of phishing attacks with unique threat signatures. These contain fewer language errors, the tell-tale sign that enables human eyes to spot these threats if they do evade traditional controls.

“Generative AI can be weaponized to create highly personalized and convincing content and generate dynamic, legitimate-looking websites that are much harder to detect,” said Kyle Metcalf, a security strategist with Living Security, a cybersecurity training company in Austin, Texas.

“The more realistic the website looks, the better the chance it has to trick the user,” he told TechNewsWorld.

More Visibility Needed

Artificial intelligence can be used for more than creating sketchy websites, however.

“Cybercriminals frequently register malicious domains using slight variations on the proper name to make it visually hard to distinguish from the proper brand,” explained Luciano Allegro, co-founder and CMO of BforeAi, a threat intelligence company in Montpellier, France.

“Users seeing a link that appears safe click on it to visit a cloned site,” he told TechNewsWorld. “AI helps automate this process, generating massive volumes of adjacent names and automating the theft of assets and the creation of legitimate sites.”

The challenge for enterprise security stems from security tools still relying on classic network signals and traditional endpoint telemetry alone, the report noted. Even AI models trained on network-based telemetry fall short because firewalls and secure web gateways lack visibility into browser telemetry.

This weakness has spurred the growth of the browser attack vector, it continued. Without improved visibility into browser-specific telemetry, security teams will remain exposed to zero-hour phishing attacks.

John P. Mello Jr.

John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
view all
Affiliate Marketing Contributing to Substandard Search Results: Study
January 23, 2024
job candidate interview with human resources recruiter
AI Skills Can Outweigh Experience in Many Hiring Managers’ Eyes: Survey
January 17, 2024
smart device home hacker
Paranoia in the Home: 1 in 3 Americans Worried About Their Smart Gadgets Being Hacked
January 16, 2024
Wi-Fi 7 Certified
Alliance Raises Curtain on Wi-Fi 7
January 10, 2024
antitrust law
Courts, Regulators Pose Threat To Apple Services Revenue in 2024
January 3, 2024
Project Kuiper's optical mesh network in low Earth orbit
Amazon’s Competitor to Musk’s Starlink Takes Critical Step Toward Deployment
December 20, 2023
Zipline drone making a package delivery to the front door of a home
Zipline Drone Delivery Projects Ready for Takeoff in US Cities
December 19, 2023
AI No Longer Curiosity for Retailers but Key to Better Business: Report
December 13, 2023
Wi-Fi-7
Next-Generation Wi-Fi 7 Standard Expected To Be Finalized in Early 2024
December 12, 2023
traffic camera for highway safety
GHSA Backs Road Cams To Bolster Traffic Safety
December 6, 2023
More in Cybersecurity
technology cyber forecast 2024
Tech Forecast 2024: Better Cyber Coexistence, Productivity, Privacy
January 2, 2024
scanning a QR code on a smartphone
Quishing Alert: Experts Advise Caution Before Scanning QR Codes
December 5, 2023
TV set-top box with remote control
Electronic Frontier Foundation Calls for FTC Action on Poisoned Set-Top Boxes
November 16, 2023
challenges and vulnerabilities of digital identity authentication
Casino Breaches Expose Why Identity Management Is at a Crossroads
November 2, 2023
cybersecurity and compliance team
IT and Security Leaders Baffled by AI, Unsure About Security Risks: Study
October 18, 2023
passwordless computing
Google Takes Giant Step Toward Passwordless World With New Passkey Setting
October 11, 2023
emergency response law enforcement police 911 call center
Hacker Advocates Turning Tracking Tables on Law Enforcement
October 10, 2023
tech innovation
The Magic Presented at HP Imagine 2023
October 9, 2023
female millennial in office working on a tablet
Study Warns Age Bias Can Threaten Workplace Cybersecurity
October 3, 2023
More Linux Malware Means More Linux Monitoring
September 15, 2023

My overall satisfaction with search engine results in the past year has:
Loading ... Loading ...

Technewsworld Channels

Applications

Applications

Courts, Regulators Pose Threat To Apple Services Revenue in 2024

Audio/Video

Audio/Video

Monoprice CrystalPro 27″ Monitor Delivers Productivity, Convenience at a Bargain Price

Chips

Chips

2024 Tech Industry Predications: A Few May Surprise You

Computing

Computing

LinDoz Returns With Advanced AI To Revamp the MakuluLinux Lineup

Cybersecurity

Cybersecurity

Tech Forecast 2024: Better Cyber Coexistence, Productivity, Privacy

Data Management

Data Management

The Realities of Switching to a Passwordless Computing Future

Developers

Developers

Wind River Linux Drives New Solutions for Software-Defined Vehicles

Emerging Tech

Emerging Tech

The Robotic Wave at CES

Exclusives

Exclusives

More Linux Malware Means More Linux Monitoring

Gaming

Gaming

Next-Generation Wi-Fi 7 Standard Expected To Be Finalized in Early 2024

Hacking

Hacking

Quishing Alert: Experts Advise Caution Before Scanning QR Codes

Hardware

Hardware

Standout Tech Products of 2023

Health

Health

AI-Powered Software Offers Breakthrough for Treating Dyslexia

Home Tech

Home Tech

Rob Enderle’s Tech Forecast for 2024

How To

How To

Insider Tips for Buying a New Personal Computer

Internet of Things

Internet of Things

Synaptics Pivots To Develop Its Own IoT Compute Solutions

IT Leadership

IT Leadership

IT and Security Leaders Baffled by AI, Unsure About Security Risks: Study

Malware

Malware

Electronic Frontier Foundation Calls for FTC Action on Poisoned Set-Top Boxes

Mobile Apps

Mobile Apps

Gen Z, Millennials Turning to TikTok for Career Advice

Operating Systems

Operating Systems

Kumander Linux: This New Distro Puts You in Charge of Computing

Privacy

Privacy

Tech Coalition Launches Initiative To Crackdown on Nomadic Child Predators

Reviews

Reviews

The 5 Best Electric Cars on the Market

Science

Science

Amazon’s Competitor to Musk’s Starlink Takes Critical Step Toward Deployment

Search Tech

Search Tech

AI Fails To Move Needle for Bing’s Share of Search Market

Servers

Servers

Disorganization, Not Cost, Fuels the IT E-Waste Crisis

Smartphones

Smartphones

Qualcomm Takes Aim at Redefining Mobile and PC Technology

Social Networking

Social Networking

Musk Rolls Dice With Drastic Rebranding of Twitter

Space

Space

SatCo Makes First 5G Call via Satellite Using Everyday Smartphone

Spotlight Features

Spotlight Features

The Essential Tech Gift Guide for 2023 Holiday Shoppers

Tablets

Tablets

One More Thing…Apple Unveils Vision Pro Mixed-Reality Headset at WWDC23

Tech Buzz

Tech Buzz

Zipline Drone Delivery Projects Ready for Takeoff in US Cities

Tech Law

Tech Law

The Problem With Suing Gen AI Companies for Copyright Infringement

Transportation

Transportation

GHSA Backs Road Cams To Bolster Traffic Safety

Virtual Reality

Virtual Reality

Impressions of Meta Quest 3: The Must-Have VR Gift for the Holidays?

Wearable Tech

Wearable Tech

Gunnar Tallac Glasses: A Stylish Solution for Blue-Light Protection

Women In Tech

Women In Tech

‘Women Don’t Play’ Confronts Gender Disparity in the Tech Industry

More from ECT News Network

E-Commerce Times

E-Commerce Resolution for 2024: Fearlessly Embrace AI
E-Commerce Resolution for 2024: Fearlessly Embrace AI
January 22, 2024
2024 Signals E-Commerce Fears, Frustrations, Fulfillment
2024 Signals E-Commerce Fears, Frustrations, Fulfillment
January 11, 2024
E-Tailers Face Ongoing Dilemmas of Friendly Fraud, Insider Crime
E-Tailers Face Ongoing Dilemmas of Friendly Fraud, Insider Crime
January 2, 2024

LinuxInsider

Open-Source Experts’ 2024 Outlook for AI, Security, Sustainability
Open-Source Experts’ 2024 Outlook for AI, Security, Sustainability
January 23, 2024
LinDoz Returns With Advanced AI To Revamp the MakuluLinux Lineup
LinDoz Returns With Advanced AI To Revamp the MakuluLinux Lineup
January 4, 2024
Kumander Linux: This New Distro Puts You in Charge of Computing
Kumander Linux: This New Distro Puts You in Charge of Computing
December 18, 2023

CRM Buyer

CRM Advances With AI Powers Amid Data Privacy Challenges
CRM Advances With AI Powers Amid Data Privacy Challenges
January 9, 2024
A New Era of Customer Service
A New Era of Customer Service
January 5, 2024
CRM 2024 Challenge: Mastering AI for Peak Platform Performance
CRM 2024 Challenge: Mastering AI for Peak Platform Performance
January 2, 2024