As Phishing Gets Even Sneakier, Browser Security Needs to Step Up

BLACK HAT USA – Las Vegas – Friday, Aug. 11 – Phishing attacks are moving beyond conventional efforts and require more sophisticated detection capabilities.

That's because modern types of phishing are harder to detect, especially as employees work remotely and are harder to protect, noted Din Serussi, incident response group manager at Perception Point, in his talk at Black Hat USA this week. If that sounds alarmist, consider that 91% of cyberattacks begin with a phishing email.

While it once took an attacker time to create a phishing template, Serussi said AI can now generate a phishing template in 30 seconds with the malicious URL and a malicious file automatically embedded.

Some of the Phishy Ways

Serussi listed a number of modern phishing tactics used by attackers. These included using Cyrillic alphabet characters in a URL to disguise the malicious link the attacker pushes to their would-be victim. "To the human eye, it actually looks like a normal text, right? If we copy and paste it to the command line, we can see the suspicious spaces between the different letters and if we are going to break down the unicode, we can see how the hackers are actually managing to manipulate us," he said.

What appears to be a four-letter word is actually eight letters, and this can bypass static text filtering. "If you are using an outdated security solution, you're not going to catch this type of attack," he said.

Another tactic is "browser within a browser," where an attacker uses HTML and CSS code, so a browser tab or pop-up is opened within your browser, often with "https" in the URL to gain the user's confidence. While these do not come with an option to download malware, they can collect personal and credit card information as they look genuine. Serussi said security software with visual analytics will head off this browser-in-a-browser attack.

The rise of QR phishing, or "quishing," has increased by 800% this year. He said the issue here is that the domain the user is taken to looks legitimate on a mobile device since the entire URL isn't visible.

Also, attackers are using CAPTCHAs, geofencing, and redirects to mislead security filters into thinking that the URL is legitimate, redirecting the user to a different site.

Fixing the Issue

Serussi said there is a new approach for addressing in-browser security issues: browser extensions that offer detection capabilities.

He said the first step is to have 100% dynamic scanning so that "when you are moving the detections from email to the Web browser, you are able to detect the malicious behavior."

Phishing attacks on social media and messaging apps can also be addressed with browsers extensions, Serussi added.

It's also important to have visibility into credentials that have been entered within managed browsers. By examining a week's worth of entered credentials to a compromised user's browser, you can usually find where the compromise of the account really came from, Serussi said.

These advanced security solutions can also send alerts when a password is entered multiple times, or if the user enters their work password into a Facebook account, the account can be locked immediately.

He also recommended the use of data leak prevention technology to see who's downloading massive files from a shared drive, be able to block their actions and downloads, and immediately disable the specific user until it's clear what's going on.

Serussi also recommended use of a strong password policy, enforce two-factor authentication, and configure a standard policy framework, which checks an email for correlation between the domain that the email was sent to and the IP address.