Menlo Security Reports Surge in Browser-based Phishing Amid Adaptive Threats

Highlights:

• According to the 2023 State of Browser Security Report, there was a notable 198% surge in browser-based phishing attacks during the year’s second half, resulting in a 206% increase over the entire year.
• The report also revealed the detection of 550,000 browser-based phishing attacks in the last 12 months.

Menlo Security Inc. has unveiled a report highlighting a significant surge in browser-based phishing attacks in the past year. This rise is attributed to the increased prevalence of highly evasive adaptive threats.

According to the 2023 State of Browser Security Report, there was a notable 198% surge in browser-based phishing attacks during the year’s second half, resulting in a 206% increase over the entire year. Evasive attacks, employing techniques to bypass traditional security controls, accounted for 30% of all browser-based phishing attacks, per the 2023 findings. Evasive threats incorporate tactics like SMS phishing (smishing), image-based phishing, adversary-in-the-middle frameworks, brand impersonation, and multifactor authentication bypass.

The report highlights attacks’ pervasive and high-risk nature. In 30 days, Menlo Labs Threat Research identified over 11,000 zero-hour phishing attacks that lacked signatures or digital breadcrumbs. Existing secure web gateways or endpoint tools could not detect and block these attacks, underscoring the urgent need for advanced security measures in the face of evolving cyber threats. The team also found that 75% of phishing links are hosted on known, categorized, or trusted websites – not easily identified as malicious or fly-by-night.

The report also revealed the detection of 550,000 browser-based phishing attacks in the last 12 months. Legacy reputation URL evasion, or LURE attacks, characterized by a method in which threat actors evade web filters categorizing domains based on implied trust, saw a 70% increase from 2022. Over 73% of LURE attacks originated from categorized websites, as revealed by Menlo Security researchers analyzing a million URLs.

The latency between the first appearance of a zero-hour phishing attack and its incorporation into the detection mechanism of traditional security tools was identified as six days.

Neko Papez, Senior Manager of Cybersecurity Strategy at Menlo Security, highlighted that with the browser becoming the most widely used enterprise application, users are a significant exposure point for enterprises. Consequently, he explained that attackers employ evasive techniques to circumvent traditional security tools, delivering browser-based threats to steal credentials and gain entry to corporate systems.

Papez added, “While existing network and endpoint solutions offer partial protection, these tools ultimately rely on block lists and indicators-of-compromise feeds, containing previously convicted phishing URLs, to protect against unknown or never before seen phishing attacks. However, traditional solutions fall short because they lack visibility into browsers and dynamic web content and don’t provide the complete picture.”