The cybersecurity field has made great strides in recent years through improvements to email and web security solutions, next-gen antivirus solutions and overall network, operating system and browser hardening.
In turn, threat actors have changed their strategies by adopting hard-to-detect, fileless phishing attacks that exploit the more vulnerable human attack surface. (See New Worm Helps Spread Fileless Version of Bladabindi RAT .)
The threat landscape for 2019 is evolving due to new types of phishing and social engineering attack vectors and methods. These threats are rapidly morphing beyond phishing emails with malicious attachments to penetrate organizations through browser-based attack vectors designed to trick users into divulging sensitive information or install man-in-the-browser snoopware to run stealthily in browser memory.
In short, CSOs and security managers must focus attention on the growing number of threats that leverage malicious sites, regardless of phishing attack vector.
In 2019, cybercriminals will continue to use phishing emails, though the percentage of emails that include malicious attachments will decline as those with malicious links continue to increase. In addition, use of phishing attack vectors beyond email will expand. These vectors include phishing through ads, pop-ups, social media and chat applications. Hackers are also building seemingly legitimate browser extensions that provide useful functionality.
However, these rogue extensions can also act as snoopware to surreptitiously capture credentials that enable additional attacks on the machine or the corporate network.
The battlefield is shifting to compromised websites
With anti-phishing solutions becoming more adept at spotting newly registered or otherwise suspicious domains, attackers are expanding their use of normally benign but compromised websites to host their malicious phishing pages. This helps them avoid detection and blocking by URL filtration systems and web isolation technologies.
An ecosystem of bad actors is emerging to support this activity. Our threat researchers have noticed a growing number of benign website login credentials for sale on the Dark Web. (See Watch Out: The Dark Web Is Really Watching You.)
Let's be clear -- the concern is not about the browser itself becoming exploited through a software vulnerability.
The most popular browsers are being made more secure all the time. The real issue involves a wider variety of ways that users are tricked into adding malicious browser extensions that can lead to bad outcomes or clicking a link that silently installs snoopware in browser memory.
Most security teams are aware of these new threats, but they are unclear on how to respond. Firewalls are only effective when there is a known malicious URL to block, but the hackers have become skillful at quickly propping up new unidentified web pages, and also using compromised legitimate sites and then shutting phishing pages down again within hours to avoid detection.
By the time they are typically discovered and blocked, the attacks are already done and have moved on. This has given rise to more anti-phishing technologies that can do real-time as well as pre-emptive phishing site detection.
Fresh approaches to thwarting phishing
Cybercriminals are increasingly turning to social engineering attacks that exploit the human attack surface to evade existing safeguards and gain entry to corporate networks.
These new threats don't directly target the device, the software or the network. The primary target is the employee behind the browser. In other words, the most vulnerable link in the chain is the end user. With more than 4 billion Internet users who own a few connected devices each, and with web usage increasingly common for everyday business tasks, the expansive scope of this problem becomes all too clear.
Security teams will need to deploy new tools and strategies to block phishing threats on the web, before users get duped into doing things that compromise their organizations. On-going phishing awareness training for employees should be a part of any layered security strategy, as should anti-phishing solutions that can detect and help block live web-based phishing threats.
Clearly, this is an on-going game of cat-and-mouse with 2019 promising to bring even more sophisticated phishing attacks to manipulate users. As Google and other browser makers crack down on rogue browser extensions and apps, rogue extension makers will devise new ways to avoid detection. (See Google Chrome 71: Bugs Squashed & New Ways to Block 'Abusive Experiences'.)
With so much sensitive information being passed through the browser via cloud-based apps and cloud storage systems, tricking users and getting man-in-the-browser for snooping is just too tempting a target for cybercriminals.
— Atif Mushtaq has spent most of his career on the front lines of the war against cybercrime. Before founding SlashNext, he spent nine years as a senior scientist at FireEye, where he was one of the main architects of FireEye's core malware detection system. Mushtaq has worked with law enforcement and other global agencies to take down some of the world’s biggest malware networks.