Security researchers have observed a 198% increase in browser-based phishing attacks during the latter half of 2023 compared to the first half, with a corresponding 206% rise in evasive attacks.
The findings, outlined in Menlo Security’s recently released 2023 State of Browser Security Report, highlight a concerning trend in the proliferation of Highly Evasive Adaptive Threats (HEAT) targeting browsers.
Evasive attacks, designed to circumvent traditional security controls, now constitute 30% of all browser-based phishing assaults, according to the report. These sophisticated tactics include SMS phishing, Adversary in the Middle (AITM) frameworks, image-based phishing, brand impersonation and Multi-Factor Authentication (MFA) bypass.
“Humans remain the weakest link in the cybersecurity chain – unintentionally divulging corporate credentials and secrets – and threat actors have decidedly shifted focus to web browsers as the point of entry to gain initial access,” commented Menlo Security CEO, Amir Ben-Efraim.
As browser usage continues to soar on both managed and unmanaged devices, conventional network-based security controls are also grappling with detecting zero-hour phishing attacks.
Over a 30-day period, Menlo Labs Threat Research said it identified more than 11,000 zero-hour phishing attacks. Notably, 75% of phishing links were hosted on reputable websites.
Additionally, Legacy Reputation URL Evasion (LURE) attacks have witnessed a 70% increase since 2022, as well as a six-day latency in detecting zero-hour phishing attacks.
“Evasive techniques are handcrafted to fly under the radar and are particularly hard for security teams to spot. Unfortunately, modern security tooling such as SWG and Endpoint Security are ineffective as attackers are able to bypass these protections,” said Devin Ertel, CISO of Menlo Security.
“However, our research found that browser security was able to stop these zero-hour phishing attacks even when they exhibited sophisticated evasion. Organizations must adopt a targeted approach to browser security by leveraging various AI-based approaches – including object detection, URL risk assessment, and web page element analysis – to fight against today’s evasive cyber-threats.”
Menlo Labs’ latest report is based on data from 400 billion web sessions in 2023.