Stopping Today’s Phishing Attacks: Why IT Security Teams Need to Think Outside the (In)Box and More About the Browser

When it comes to phishing and social engineering attacks, it’s time to think outside of the (in)box. Consider these (scary) facts:

  • The Verizon 2018 data breach report states that over 90% of successful breaches start with a phishing attack
  • While phishing still occurs in email, threat actors are increasingly employing phishing attack vectors beyond email, including targeted ads, pop-ups, social media, IM and chat applications, rogue browser extensions, and web ‘”freeware”
  • 46,000 new phishing sites go online each day and most disappear in just 4-8 hours
  • Static threat feeds and blocking defenses can’t keep pace with fast-moving Web-based phishing threats, leaving employees increasingly exposed to previously unknown, zero-hour phishing sites

A New Generation of Phishing

IT security teams are facing the increasingly difficult task of defending against this new generation of phishing attacks. While there’s considerable focus on phishing awareness training for employees and security controls for email phishing, links that come from outside the inbox on the Web and social media are very difficult to detect. Plus, a distracted, multi-tasking workforce may simply have their guard down and when using the Web as part of their daily tasks. Many are duped into getting a fake update or to click on a link which results in them inadvertently getting “man in the middle” snoopware into their browser. Whether it’s through a silent install or explicit install of a seemingly legitimate but rogue browser extension, many of them are comprised of simple HTML5 and JavaScript, their file-less and execute almost entirely in browser memory, which evades anti-virus and other endpoint protection technologies.

Vulnerable Browsing

Browser extensions by design have full access to most of the browser’s resources and information being entered and rendered within the browser. It was just a matter of time before cybercriminals realized that injecting malicious code inside browsers disguised as benign looking browser extensions would give them unlimited access to much of the data passing through the browser. It also provides them with much needed cover from security systems that are designed to catch only file-based malware executables and software exploits.

Because these plugins run inside browser memory, SSL encryption is not a problem for them. In order to bypass Two Factor Authentication (2FA), these plugins usually wait for the authentication phase to be completed before snooping on the authenticated session and stealing data to mount further attacks.

The Threat to Enterprises

Browsers, generally speaking, are quite secure and getting more so all the time. With improved software design and regular automated patching, zero-day browser exploits are getting rarer. The difficulty is that browser users are being tricked into adding browser extensions through a variety of very convincing and effective phishing tricks. This is causing major problems for enterprises today. These attacks typically come from phishing pages embedded with file-less HTML “malware”, which are difficult to track and trace. The rogue code is comprised of HTML5 and JavaScript code that runs as part of a browser extension, as mentioned earlier. The threat to the enterprise is that some of these extensions can run as spyware, steal user credentials, and enable data exfiltration to threat actors.

Once a user’s credentials have been compromised, the threat is further mobilized and can be catastrophic to the enterprise. Breaches are tremendously costly. It’s not just loss of critical business or customer data, but there’s risk of loss of IP, shareholder value, lawsuits, financial payouts, and more. These are just a few consequences a company can face when their employees fall victim to phishing attacks.

The User is the Real Vulnerability

It’s important to understand that many of today’s social engineering attacks do not target the device, the software, or even the network. They target their users. As noted in a recent Bloor Research report (Security Has Become a Human Problem), it’s the imperfect, fallible human that becomes the vulnerability to enterprise security. And with employees increasingly accessing the Web for everyday tasks, they are exposed to a far greater number of very convincing phishing threats than they used to, presenting IT security teams with a daunting challenge.

IT Security Should Think Outside the (In)Box

To deal with these challenges, IT security teams need to think outside the (in)box and the prevailing focus on email phishing. Employee phishing training needs to be broadened to include awareness around the new generation of Web-based threats. But with today’s distracted workforce and so many increasingly legitimate-looking phishing sites, organizations need security controls which can detect zero-hour phishing threats in real-time so can better protect their users and reduce the risk of breaches. They need to close this gap. Fortunately, that’s where SlashNext real-time phishing detection solutions can help!

Blog Subscription

It’s Time to Get Started with SlashNext

Experience the difference with broad phishing threat coverage and automated delivery.