Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint Security

1/2/2019
09:15 AM
Atif Mushtaq
Atif Mushtaq
News Analysis-Security Now
50%
50%

Phishing & Social Engineering Attacks Will Rise in 2019

The rise of fileless attack techniques and other developments is making phishing a much more serious problem for enterprise security. As we head into 2019, a new approach is needed.

The cybersecurity field has made great strides in recent years through improvements to email and web security solutions, next-gen antivirus solutions and overall network, operating system and browser hardening.

In turn, threat actors have changed their strategies by adopting hard-to-detect, fileless phishing attacks that exploit the more vulnerable human attack surface. (See New Worm Helps Spread Fileless Version of Bladabindi RAT .)

The threat landscape for 2019 is evolving due to new types of phishing and social engineering attack vectors and methods. These threats are rapidly morphing beyond phishing emails with malicious attachments to penetrate organizations through browser-based attack vectors designed to trick users into divulging sensitive information or install man-in-the-browser snoopware to run stealthily in browser memory.

In short, CSOs and security managers must focus attention on the growing number of threats that leverage malicious sites, regardless of phishing attack vector.

In 2019, cybercriminals will continue to use phishing emails, though the percentage of emails that include malicious attachments will decline as those with malicious links continue to increase. In addition, use of phishing attack vectors beyond email will expand. These vectors include phishing through ads, pop-ups, social media and chat applications. Hackers are also building seemingly legitimate browser extensions that provide useful functionality.

However, these rogue extensions can also act as snoopware to surreptitiously capture credentials that enable additional attacks on the machine or the corporate network.

The battlefield is shifting to compromised websitesWith anti-phishing solutions becoming more adept at spotting newly registered or otherwise suspicious domains, attackers are expanding their use of normally benign but compromised websites to host their malicious phishing pages. This helps them avoid detection and blocking by URL filtration systems and web isolation technologies.

An ecosystem of bad actors is emerging to support this activity. Our threat researchers have noticed a growing number of benign website login credentials for sale on the Dark Web. (See Watch Out: The Dark Web Is Really Watching You.)

Let's be clear -- the concern is not about the browser itself becoming exploited through a software vulnerability.

The most popular browsers are being made more secure all the time. The real issue involves a wider variety of ways that users are tricked into adding malicious browser extensions that can lead to bad outcomes or clicking a link that silently installs snoopware in browser memory.

Most security teams are aware of these new threats, but they are unclear on how to respond. Firewalls are only effective when there is a known malicious URL to block, but the hackers have become skillful at quickly propping up new unidentified web pages, and also using compromised legitimate sites and then shutting phishing pages down again within hours to avoid detection.

By the time they are typically discovered and blocked, the attacks are already done and have moved on. This has given rise to more anti-phishing technologies that can do real-time as well as pre-emptive phishing site detection.

Fresh approaches to thwarting phishingCybercriminals are increasingly turning to social engineering attacks that exploit the human attack surface to evade existing safeguards and gain entry to corporate networks.

These new threats don't directly target the device, the software or the network. The primary target is the employee behind the browser. In other words, the most vulnerable link in the chain is the end user. With more than 4 billion Internet users who own a few connected devices each, and with web usage increasingly common for everyday business tasks, the expansive scope of this problem becomes all too clear.

Security teams will need to deploy new tools and strategies to block phishing threats on the web, before users get duped into doing things that compromise their organizations. On-going phishing awareness training for employees should be a part of any layered security strategy, as should anti-phishing solutions that can detect and help block live web-based phishing threats.

Clearly, this is an on-going game of cat-and-mouse with 2019 promising to bring even more sophisticated phishing attacks to manipulate users. As Google and other browser makers crack down on rogue browser extensions and apps, rogue extension makers will devise new ways to avoid detection. (See Google Chrome 71: Bugs Squashed & New Ways to Block 'Abusive Experiences'.)

With so much sensitive information being passed through the browser via cloud-based apps and cloud storage systems, tricking users and getting man-in-the-browser for snooping is just too tempting a target for cybercriminals.

Related posts:

Atif Mushtaq has spent most of his career on the front lines of the war against cybercrime. Before founding SlashNext, he spent nine years as a senior scientist at FireEye, where he was one of the main architects of FireEye's core malware detection system. Mushtaq has worked with law enforcement and other global agencies to take down some of the world’s biggest malware networks.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27652
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27653
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27654
PUBLISHED: 2020-10-29
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
CVE-2020-27655
PUBLISHED: 2020-10-29
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
CVE-2020-27656
PUBLISHED: 2020-10-29
Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.