A 198% Increase in Browser-Based Phishing Attacks
The latter half of 2023 saw a significant surge in browser-based phishing attacks, with security researchers observing a 198% increase compared to the first half of the year. Alongside this rise, there was also a corresponding 206% increase in evasive attacks, as detailed in Menlo Security’s recently released 2023 State of Browser Security Report. The report sheds light on the alarming trend of Highly Evasive Adaptive Threats (HEAT) targeting web browsers.
Evasive attacks, aimed at bypassing traditional security measures, now make up 30% of all browser-based phishing assaults, the report reveals. These sophisticated tactics include SMS phishing, Adversary in the Middle (AITM) frameworks, image-based phishing, brand impersonation, and Multi-Factor Authentication (MFA) bypass.
Menlo Security CEO, Amir Ben-Efraim, expressed concern over the vulnerability of humans as the weakest link in the cybersecurity chain. He stated that threat actors have shifted their focus to web browsers as the entry point to gain initial access, underscoring the critical need for robust browser security measures.
As the use of web browsers continues to soar on both managed and unmanaged devices, conventional network-based security controls are struggling to detect zero-hour phishing attacks. Menlo Labs Threat Research identified over 11,000 zero-hour phishing attacks within a 30-day period, with 75% of these phishing links hosted on reputable websites, highlighting the challenges in identifying and preventing such attacks.
The report also highlights a 70% increase in Legacy Reputation URL Evasion (LURE) attacks since 2022, as well as a six-day latency in detecting zero-hour phishing attacks. Devin Ertel, CISO of Menlo Security, emphasized the difficulty in spotting evasive techniques, which are designed to evade traditional security measures. Ertel stated that modern security tools such as Secure Web Gateway (SWG) and Endpoint Security are ineffective in preventing these attacks, given threat actors’ ability to bypass these protections. However, the research conducted by Menlo Labs found that browser security was effective in stopping zero-hour phishing attacks, even when they exhibited sophisticated evasion.
The report’s findings are based on data from 400 billion web sessions in 2023, painting a comprehensive picture of the evolving cybersecurity landscape. It is clear that organizations must adopt a targeted approach to browser security by leveraging various AI-based approaches, including object detection, URL risk assessment, and web page element analysis, to combat the growing threat of evasive cyber-attacks.
The surge in browser-based phishing attacks and the corresponding rise in evasive tactics underscore the pressing need for organizations to prioritize browser security as part of their overall cybersecurity strategy. With threat actors continuously refining their techniques, the onus is on businesses to employ advanced security measures to safeguard against these evolving threats. As the cyber threat landscape continues to evolve, proactive and adaptive security measures will be vital in staying ahead of increasingly sophisticated attacks targeting web browsers.