The latest annual Menlo Security State of Browser Security Report recorded a massive jump in browser-based phishing attacks and zero-hour phishing attacks in 2024.
Over the last 12 months, they identified more than 752,500 browser-based phishing attacks against over 800 enterprises. Delving into the report, the increase from 2023, a staggering 140% in browser-based phishing attacks and a 130% in zero-hour phishing attacks specifically is largely attributable to the proliferation of Generative AI (Gen AI) for nefarious purposes.
Just Browsing
Browsers act as a gateway to the internet in our personal and professional lives. When people find a browser they trust, it becomes their go-to, and familiarity breeds trust; trust that cybercriminals are always looking to exploit. The report cites how 80% of the 98% of attacks originating from internet usage targeted end-user browsers.
Some of the common attack methods are:
Malvertising
Using malicious adverts or ‘malvertising’ refers to when harmful code is injected into legitimate websites and advertising networks to spread malware and redirect users to harmful locations in order to steal users’ credentials.
Exploitation of Browser Vulnerabilities
Zero-hour browser flaws are security vulnerabilities in web browsers, such as Chrome for example, unknown to developers and users. No patches or fixes are available immediately upon discovery, providing attackers with a window to exploit them before the issue is resolved. The report identified, on average, a 6-day window of exposure before legacy tools could detect this type of threat.
Browser-based Phishing
Browser-based phishing attacks see bad actors create fake login pages impersonating popular and trusted organizations. The report found that 75% of phishing links are now hosted on trusted domains, including major cloud services like AWS and Cloudflare.
Flattering to Deceive
Microsoft, Facebook, and Netflix were the three brands found to be most impersonated in browser-based phishing attempts, with Microsoft at the top of that list. Menlo found that just under 51% of browser-based phishing attacks involved brand impersonation to varying degrees.
The increasingly common utilization of Gen AI is reflected in the report’s detection of almost 600 incidents of fraudulent Gen AI sites. These sites were passing themselves off as Gen AI sites purporting to offer legitimate services.
By the second half of 2024, Menlo was seeing cybercriminals create nearly one million phishing sites per month, representing a growth of almost 700% since 2020. Large language models (LLMs), a prominent subset of Gen AI, are being increasingly utilized by threat actors to research potential attacks at speed, and craft convincing copy that compels users to act with urgency, all while being replicated on a previously unachievable scale.
Fighting Back
Andrew Harding, VP of Security Strategy at Menlo Security, points out that one of the most interesting things they observed was that “the majority of GenAI fraud was not for the purpose of credential theft. Instead, these impersonation sites attempted to trick people into entering highly personal information.”
Going into more detail about the observed attacks, he explained that “these fake GenAI platforms promise to generate a résumé or similarly personal document. In addition to cybercriminals stealing sensitive and personal information, the returned document is typically a PDF, where malware can hide out and be delivered. In the past year, Menlo Security successfully thwarted hundreds of incidents of such GenAI fraud.”
Defending From the Front
The insidious nature of the threats to browsers, through a combination of leveraging user trust and deploying Gen AI to create ultra-realistic fraudulent images and text, necessitates a proactive approach to defense. Whilst advanced browser isolation, real-time threat intelligence, and machine learning-based detection systems will become ever-more essential to combat bad actors effectively, they may not (right now) be as easily accessible to smaller organizations as they are to larger ones. However, the adoption of a zero-trust framework, along with an organization-wide implementation of MFA, are steps in the right direction that businesses of all sizes can take.
Adam Parlett is a cybersecurity marketing professional who has been working as a project manager at Bora for over two years. A Sociology graduate from the University of York, Adam enjoys the challenge of finding new and interesting ways to engage audiences with complex Cybersecurity ideas and products.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.