Outdated systems, misconfigured applications and exposed cloud resources are often considered the weakest links in any organization’s IT security. However, it’s the human attack surface that is most frequently exploited — and a new type of browser-based tactic is rapidly becoming the attack of choice by malicious actors.
The human attack surface refers to employee behaviors that increase an organization’s risk. Whether clicking on malicious email attachments, using weak passwords or opening infected web links, users commonly expose their organizations to threats. According to research from the World Economic Forum, user error is a contributing factor in 95 percent of all cybersecurity issues.
Cybercriminals exploit users’ lack of security awareness with a range of social engineering tactics. These attacks are designed to manipulate them into giving up sensitive information, downloading malware or taking other actions that serve the attackers’ purposes. A new type of browser-based social engineering exploit ranks among the top threats to emerge during Q1 2023, according to WatchGuard’s latest Internet Security Report. In these attacks, hackers use browsers’ push notification features to deceive users into taking malicious actions or disclosing sensitive information.
Beyond the Popup
The attacks are similar to the once-ubiquitous popup ads that redirected users to malicious websites or tricked them into downloading malware. Now that web browsers have more protections against popup ad abuse, attackers are using the relatively new notification features to launch similar attacks and malware campaigns.
When visiting a website, for example, you might get a notification asking you to click an “allow” button to view a video or download a pdf. Once you’ve clicked, however, you’ve given hackers permission to send a barrage of notifications with malicious links. Worst of all, these notifications aren’t blocked by any current cyber defense.
Other common examples of browser-based social engineering attacks include:
- Clickjacking. This involves overlaying deceptive elements on top of legitimate web pages to trick users into clicking on hidden buttons or links. These deceptive elements can be invisible or disguised as genuine content, leading users to unknowingly perform actions they did not intend, such as granting permissions or downloading malware.
- Pharming. In pharming attacks, attackers manipulate the DNS (Domain Name System) settings or compromise the user’s computer to redirect them to fraudulent websites. Users enter their sensitive information on these malicious websites, unknowingly providing it to the attackers.
- Man-in-the-Browser attacks. MitB attacks are designed to infect a user’s browser with malware that intercepts and modifies web page content in real time. The attacker can alter displayed web page content, inject malicious scripts or ads, capture login credentials or perform unauthorized transactions without the user’s knowledge.
- Browser-in-the-Browser attacks. In these attacks, an attacker leverages vulnerabilities in a web browser to embed or execute another browser that operates independently. The attacker can use the embedded browser to conduct malicious activities such as executing code, accessing sensitive data or interacting with other websites without the user’s knowledge.
- Rogue browser extensions. These are malicious or unauthorized software add-ons that users may unknowingly install in their web browsers. These extensions can capture browsing activity, collect sensitive information, inject ads or malware or redirect users to malicious websites.
To help your team learn how to identify and avoid these and other emerging threats, make plans to join us for the FutureCon Cybersecurity Conference scheduled for July 27 at the Hilton Tampa Westshore. Verteks is a gold sponsor for the event, which will bring together a panel of C-level cybersecurity professionals to offer cybersecurity training tips, cutting-edge security approaches and risk management strategies. Click here to get more information and to register.
