Phishing + Ransomware—Why Multi-Channel Protection is Essential to Stop Both

When it comes to spear-phishing and ransomware attacks, it’s time to think outside of the inbox and consider these (scary) facts:

  • Ransomware has continued its upward trend with an almost 13%increase–a rise as big as the last five years combined according to Verizon 2022 DBIR(Data Breach Investigations Report)
  • The human element contributes to 82% of breaches and malware stolen credentials provide a great second step in an attack, Verizon 2022 DBIR
  • Attackers are using man in the middle (MitM), rogue browser extensions, social engineering, and malicious webpages hiding on legitimate infrastructure, to hack humans.
  • 50,000 new spear-phishing sites go online each day, many on legitimate infrastructure like Spark[.]adobe[.]com, dropbox[.]com, onedrive[.] app[.]box[.]com, and alchemy[.]com to just name a few
  • Secure web gateways, URL filtering, legacy malware protection, browser isolation, and internet policies are all strategies to defend users from web threats, but they are struggling to keep pace with fast-moving web-based phishing threats, leaving corporations exposed to ransomware

Browsers are an Overlooked Attack Vector

A browser extension adds functions and features to improve productivity and many are used daily to access critical business applications. The Chrome Web Store has extensions ranging from productivity tools to shopping, games. These extensions install quickly and easily, and once they are installed, they save me time and effort. The appeal and adoption of browser extensions to consumers are naturally attracting the attention of cybercriminals.

Browser extensions can only be downloaded from their official stores. They are vetted by Google, Microsoft, and Apple before they can be listed for download. If this is the case, how do malicious extensions make their way into the official stores? There are many reasons, but here are a few:

  • Browser extensions can be hijacked. All major web browsers, including Google Chrome, automatically updates a user’s installed browser extensions when new versions are available. When a developer’s account is compromised, it can be used to push malicious updates to already installed extensions, as was the case with a popular Web Developer extension for Chrome
  • Browser extensions can be sold. Developers are approached by companies with offers to buy their extensions. Once an extension is sold, the new owners can update it with malicious features and upload it to the Chrome Web Store, and all the existing users are now using the new company’s version.
  • The initial vetting process is not perfect, allowing some malicious extensions to bypass the safeguards and get listed

Users download the extensions from the official app stores, but the journey doesn’t always begin there. SlashNext’s Threat Labs found that users are directed to the extension stores through ad networks that appear on benign websites and search results. The ad networks, typically with multiple redirects, take visitors to a lure page with an install/continue button (Figure 1). Clicking on the continue button opens the official Chrome Web Store (Figure 2). Users assume the extension is benign, since it’s from the official store, and install it without realizing what lurks beneath. Once a malicious extension is installed, it can do anything. It can insert advertisements into your search results, redirect your search traffic to phishing webpages, and it could even function as a keylogger to steal your MS O365 login credentials.

Ad Network Lure Page

Figure 1: Ad Network Lure Page

Chrome Store Malicious Extension

Figure 2: Chrome Store Malicious Extension

SlashNext sources millions of URLs and internet transactions daily, from passive DNS feeds, phishing traps, hardware sensors, and suspicious ads networks, just to name a few. Our threat lab uncovered thousands of rouge browser extensions in the official extension stores.

The Threat to Enterprises

Browsers are secure and getting more so all the time. The difficulty is that browser users are being tricked into adding browser extensions through a variety of very convincing and effective phishing tricks. This is causing major problems for enterprises today. These attacks typically come from phishing pages embedded with file-less HTML “malware”, which are difficult to track and trace. The rogue code is comprised of HTML5 and JavaScript code that runs as part of a browser extension, as mentioned earlier. The threat to the enterprise is that some of these extensions can run as spyware, steal user credentials, and enable data exfiltration to threat actors.

Once a user’s credentials have been compromised, the threat is further mobilized and can be catastrophic to the enterprise. Breaches are tremendously costly. It’s not just loss of critical business or customer data, but there’s risk of loss of IP, shareholder value, lawsuits, financial payouts, and more. These are just a few consequences a company can face when their employees fall victim to phishing attacks.

It’s Time to Get Started with SlashNext

Experience the difference with broad phishing threat coverage and automated delivery.