By Atif Mushtaq, CEO, SlashNext
Socially engineered attacks take many forms. While email phishing is the most well-known and remains an ongoing challenge for security teams, organizations must also deal with the growing threat of phishing attacks that are coming from outside the inbox. Cybercriminals increasingly use ads on legitimate websites, pop-ups, social media, chat applications, and more to lure users to a malicious webpage. Credential stealing or obtaining some other PII have long been goals of phishing attacks. But hackers are increasingly tricking users into getting seemingly legitimate browser extensions. These often provide useful functionality, but they can also act as snoopware to surreptitiously capture credentials and other info to arm hackers for additional attacks on the machine or the corporate network.
What makes these new generation of socially engineered attacks so troubling is two-fold. First, phishing links coming from Web sources and social media are hard to detect. And the rogue browser extensions users are tricked into getting are also hard to detect. Most execute entirely in browser memory and evade anti-virus and endpoint protection technologies.
The compound nature of these new socially engineered attacks can evade existing firewall, antivirus, secure email gateway and endpoint protections by fooling users through HTML-based, Trojan Horse-type strikes. The idea of an HTML-based attack runs counter to common perceptions of HTML as somehow being “friendly” for users. Unfortunately, that’s no longer the case.
The Browser Has Become the New OS
With the increasing use of cloud computing and SaaS applications, daily—even intensive–browser use is becoming quite common for knowledge workers. In many ways, the browser has become the new OS that needs protection. While hackers used to focus on vulnerabilities in machine operating systems, they are finding it easier to get into the browser. But let’s be clear – this is not about the browser itself becoming corrupted or exploited. The most popular browsers are becoming more secure all the time and have fewer vulnerabilities. The issue has more to do with a wider variety of phishing tricking browser users into adding malicious browser extensions that lead to bad things.
HTML attacks can be unleashed through two main vectors – phishing pages alone, or phishing pages plus HTML malware. Such malware consists of HTML and JavaScript code that runs as part of a browser extension. Endpoint protections and next-generation antivirus protections can’t block users from accessing such malicious HTML and JavaScript running in the browser’s memory.
Recently, some popular Chrome and Firefox browser extensions have been turned into platforms for spyware, according to findings by software engineer Robert Heaton. For example, the browser extension Stylish enabled users to modify how web pages appeared in Chrome and Firefox. However, the embedded spyware also recorded every website that its 2 million users visited.
Stylish then sent the users’ complete browsing activity back to its servers, together with a unique identifier. In this way, SimilarWeb, which had acquired Stylish, could integrate an individual’s online actions into a single profile. As a result, not only did SimilarWeb own a copy of someone’s complete browsing history. According to Heaton, the firm also owned enough other data to potentially associate those histories with a user’s email address and identity. The Google, Chrome and Opera engineers quickly pulled Stylish off their browsers when this news broke in early July, according to a report by ArsTechnica.
Figure 1: Google search results sent to a remote server via a Stylish extension. (Source: Robert Heaton)
Fresh Approaches Needed to Thwart HTML Phishing
Cybercriminals are increasingly turning to such socially engineered attacks that exploit the human attack surface to evade existing safeguards. The key takeaway here is that these new threats don’t target the device, the software or the network. The primary target has now become the unsuspecting person via the browser. In other words, the most vulnerable link in the chain is the end user. With more than 4 billion Internet surfers who own a few connected devices each, the vast extent of this problem becomes mind-boggling.
Most security teams have begun to recognize these new threats, but they are not clear on how pervasive the problem has become, or how to respond. Firewalls are only effective when there is a known malicious URL to block, but the hackers have become skillful at quickly propping up new unidentified web pages and then shutting them back down again within hours to avoid detection.
Because these risky sites are so short-lived, there is no way for security indexing bots to track all of them. And since databases and threat feeds can’t keep pace either, standard firewalls are ineffective in blocking the new browser-based dangers.
Likewise, antivirus and malware protections only help when there is a file to examine, but most of these new socially engineered attacks remain file-less. For this reason, it has become critical to detect and block phishing attacks before any malicious files can penetrate the user’s browser.
Security teams will need to deploy new strategies to detect and block socially engineered phishing attacks at the start of the kill chain, before they trick users into doing things that compromise their organization or their browser with rogue browser extensions. On-going phishing awareness training for employees plays a part, as do anti-phishing solutions that can detect and help block live phishing attacks.
About the Author:
Atif Mushtaq has spent most of his career on the front lines of the war against cybercrime. Before founding SlashNext, he spent nine years as a senior scientist at FireEye, where he was one of the main architects of FireEye’s core malware detection system. Mushtaq has worked with law enforcement and other global agencies to take down some of the world’s biggest malware networks.
