Menlo Security Tracks Massive Spike in Browser-Based Phishing Attacks
Browser-based phishing attacks are succeeding more than traditional phishing attacks.
![Menlo Security: Browser-based cyberattacks spike Menlo Security: Browser-based cyberattacks spike](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt0272eba9c1b2cf8d/65b173d4a5d93b040a191c51/Cyberattacks_Spike.jpg?width=700&auto=webp&quality=80&disable=upscale)
Sasun Bughdaryan/Shutterstock
Over a 30-day period, the Menlo Labs team observed more than 11,000 zero-hour phishing attacks that had no apparent signature or digital breadcrumb. That means no existing secure web gateway (SWG) or endpoint tool could detect and block those attacks.
The team also discovered 75% of phishing links are hosted on known, categorized or trusted websites, not websites that can be easily identified as malicious or fly-by-night websites.
Other key findings from the Menlo Security report include:
More than 550,000 browser-based phishing attacks were detected in the last 12 months.
Legacy reputation URL evasion (LURE) attacks increased by 70% since 2022. LURE attacks are characterized by a method in which threat actors evade web filters that attempt to categorize domains based on implied trust.
More than 73% of LURE attacks originated from categorized websites, based on 1 million URLs analyzed by Menlo Security researchers.
Six days is the average latency between when a zero-hour phishing attack first appears and when it is finally added to the detection mechanism for traditional security tools.
Menlo Security’s Neko Papez said attackers know the browser has become the most widely used enterprise application today, and that users remain a key point of exposure for enterprises.
“Because of this, they use evasive techniques meant to evade traditional security tools to deliver browser-based threats to steal credentials and gain access to corporate systems,” he said. “Seventy-five percent of phishing links are now being hosted on known, categorized or trusted websites, and will continue to play a dominant role in the upcoming year ahead.”
Browser-based phishing attacks are more successful than traditional phishing, Papez said. That’s because they use evasive phishing attacks, which employ a range of techniques meant to evade traditional security controls.
“While existing network and endpoint solutions offer partial protection, these tools ultimately rely on block lists and indicators of compromise (IOC) feeds, containing previously convicted phishing URLs, to protect against unknown or never-before-seen phishing attacks,” he said. “However, traditional solutions fall short because they lack visibility into browsers and dynamic web content, and don’t provide the complete picture.”
“Humans remain the weakest link in the cybersecurity chain, unintentionally divulging corporate credentials and secrets, and threat actors have decidedly shifted focus to web browsers as the point of entry to gain initial access,” said Amir Ben-Efraim, Menlo Security’s co-founder and CEO. “Menlo Security is continuously detecting and preventing an influx of new browser-based phishing campaigns that are highly targeted, sophisticated and evasive, bypassing traditional network and email-based detection tooling. It’s imperative that CISOs focus their defenses on browser security as the only effective prevention strategy against these modern threats.”
Krishna Vishnubhotla, vice president of product strategy at Zimperium, said this trend in browser security has significant parallels to the challenges in mobile security, particularly regarding mobile phishing and smishing.
“Just as mysterious attacks in browsers exploit various techniques to bypass traditional security controls, mobile phishing, including smishing, leverages the personal nature of mobile devices and end-users' vulnerability to phishing to deceive users,” he said. “The mobile form factor is perfect for these campaigns as a destination address, and redirect are hard to verify or see. Most users perceive links in texts and in-app messages as more secure than emails. Today, most phishing sites are built for mobile or designed to work on mobile. This investment from threat actors makes sense, as users are six to 10 times more likely to fall for an SMS phishing attack than an email-based attack.”
Krishna Vishnubhotla, vice president of product strategy at Zimperium, said this trend in browser security has significant parallels to the challenges in mobile security, particularly regarding mobile phishing and smishing.
“Just as mysterious attacks in browsers exploit various techniques to bypass traditional security controls, mobile phishing, including smishing, leverages the personal nature of mobile devices and end-users' vulnerability to phishing to deceive users,” he said. “The mobile form factor is perfect for these campaigns as a destination address, and redirect are hard to verify or see. Most users perceive links in texts and in-app messages as more secure than emails. Today, most phishing sites are built for mobile or designed to work on mobile. This investment from threat actors makes sense, as users are six to 10 times more likely to fall for an SMS phishing attack than an email-based attack.”
Browser-based phishing attacks skyrocketed in the second half of 2023 and should continue accelerating in 2024, according to a new Menlo Security report.
The report demonstrates the rapid growth of highly evasive adaptive threats (HEAT) targeting the browser. It reveals a 198% increase in browser-based phishing attacks in the second half of 2023 compared to the first half of the year. When specifically looking at attacks classified as evasive, the researchers observed a 206% increase.
To compile this report, the Menlo Labs Threat Research team examined threat data and browser telemetry gathered from Menlo Security Cloud, including more than 400 billion web sessions during 2023. Additionally, the team took a closer look at a 30-day period in the fourth quarter of 2023 to glean more specific insights about cybercriminals’ evolving tactics and attack patterns.
Menlo Security Tracks Rapid Growth of Attacks
Evasive attacks, those that use a range of techniques meant to evade traditional security controls, are growing at a faster rate than other types of browser-based phishing attacks because cybercriminals know they have a higher rate of success employing these methods, according to Menlo Security.
Evasive threats now make up 30% of total browser-based phishing attacks and include tactics such as SMS phishing (smishing), adversary in the middle (AITM) frameworks, image-based phishing, brand impersonation or multifactor authentication (MFA) bypass.
Browser usage across managed and unmanaged devices has skyrocketed in recent years, exposing an immense attack surface enterprises are grappling to cover. Traditional network-based security controls aren’t detecting zero-hour phishing attacks that deliver ransomware and steal credentials.
![Menlo Security's Neko Papez Menlo Security's Neko Papez](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blta96bfdac9bb736f7/65b172ed572551040a6d7f4d/Papez_Neko_Menlo_Security_2024.jpg?width=700&auto=webp&quality=80&disable=upscale)
Menlo Security's Neko Papez
“These attacks are growing at a faster rate because cybercriminals know they have a higher rate of success employing these methods,” said Neko Papez, Menlo Security’s senior manager of cybersecurity strategy.
Scroll through our slideshow above for more from Menlo Security on browser-based attacks.
About the Author(s)
You May Also Like