Web Browser Attacks & How To Combat Them

Uploaded on 2023-01-09 in TECHNOLOGY--Resilience, FREE TO VIEW

Until only recently, most of us knew work as a place where you went. As children, our parents would leave the house and return nine hours later, having physically ‘gone to work’. Today, however, work isn’t a place you go, but something you do.  We’re no longer tied to an office or worksite in the new normal. Today, many of us have the freedom to log onto our company network as it suits us - from the office, at home, or on the go.  

Widespread shifts to more flexible working that we saw take hold during the pandemic and prevail post-Covid have seen organisations shift their operating models and IT infrastructure to the cloud, paving the way for the browser to become one of the most critical business tools. 

Almost all work is now carried out on the internet. Indeed, Google has reported that end users spend an average of 75 percent of their workday using a web browser. From a greater work life balance to boosted productivity and improved staff retention, both employees and employers have seen the benefits of remote and hybrid models. However, this shift has also presented a series of new and evolving risks that companies are now faced with managing and mitigating. 

Where users can use the internet to access sensitive data within applications and SaaS platforms using a variety of devices in a variety of locations, the web browser has become the biggest attack surface available to threat actors, who are actively leveraging and exploiting it. 

Indeed, many attackers have been adapting their methods in order to capitalise on a series of new opportunities.  

At Menlo, we’ve witnessed a significant ramp up in the deployment of techniques specifically designed to evade traditional layers of detection, such as firewalls, secure web gateways (SWGs), malware analysis engines, and phishing detection tools, enabling the efforts of threat attackers to slip under the radar.  
Here we outline four browser-based attack methods that we’re frequently observing.  

1.    HTML Smuggling

HTML smuggling and/or JavaScript trickery is often used within browser environments as a means of bypassing content inspection engines, enabling attacks to deliver malicious payloads to target endpoints. This technique relies upon the malicious file being dynamically constructed inside the browser to ensure there are no resource requests for a remote file that can be inspected. Significantly, even file types that would typically be blocked by SWG engines can still make it to the endpoint without any user interaction. 

2.    Malicious Links

Malicious links are a common tactic used by threat actors, sent not just via email but equally through social media, SMS messages, shared documents and more. When these methods are used in combination with HTML smuggling, content inspection engines become blind to any risk, incapable of identifying the dynamic generation of a file within the browser beyond typical network security perimeter controls. 

 3.    ‘Good2Bad’ Websites

‘Good2Bad’ websites are a third technique that see attackers leveraging benign websites for malicious activities to circumvent web categorisation. Specifically, these are used to support malicious intent for brief periods before reverting to their original benign state. Notably, between 2019 and 2021, Menlo Labs identified a massive 958% increase in the use of Good2Bad sites.  

 4.    Evasive HTTP Traffic Inspection Techniques

Fourthly, several browser exploits such as phishing kit code, crypto-mining code and the impersonation of brand logos can be generated using JavaScript in the browser to avoid detection from static signatures that typically examine web page source code and HTTP traffic. Such methods again render traditional detection tools that are deployed prior to web page execution largely useless. 

Defending Against Browser-Based Threats 

Attackers are finding new ways to bypass legacy security solutions that are simply not equipped for modern ways of working.  Indeed, the most common tools used in current security stacks were created in the era before De-perimeterisation, when work was a place that could be walled off from malicious actors and aren’t fit for modern cloud- and browser-led operating environments. 

Today, we’re seeing web content of all kinds is evolving at rapid speed. New websites are being spun up faster than they can be categorised by URL filters, and threat intelligence can’t keep up with the amount of content being created and compromised by attackers. Even those solutions leveraging artificial intelligence and machine learning need reputational evidence to detect malicious activity, and by then it’s often too late. 

Some vendors are working to respond by adding security controls directly within the browser. Google and Microsoft, for example, are providing built-in controls inside Chrome and Edge to secure at the browser level rather than the network edge.  

However, with attackers developing new evasive attack methods like HTTP Smuggling at increasing rates, new approaches are needed. 

For this reason, it is vital that organisations take a Zero Trust approach to security to stop 0-day malware and credential phishing sites in their tracks and avoid false positives that can drain IT resources and disrupt productivity. 

In achieving Zero Trust in the truest sense, remote browser isolation is a logical option, preventing all content - be it good or bad  - from executing on a local device. 

Indeed, keeping potentially malicious code away from the endpoint is the only way to stop browser-based attacks with certainty. If malicious content cannot be delivered, threat actors can’t traverse the network and execute attacks.  

Jonathan Lee is Senior Product Manager at Menlo Security 

You Might Also Read: 

Credentials Phishing Attacks:

 

« Why We Should Worry About A War On Cybercrime
Cybersecurity: Prepare For The Year Ahead »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Quttera

Quttera

Quttera provides Website Security Solutions for Small & Medium Businesses, Enterprises and Organizations.

Techmeme

Techmeme

Techmeme is an online news curation service focused on leading edge technology, including cyber security.

FoxGuard Solutions

FoxGuard Solutions

FoxGuard Solutions develops customized cyber security, compliance and industrial computing solutions for critical infrastructure entities and control system vendors.

EU Joint Research Centre

EU Joint Research Centre

JRC is the European Commission's science and knowledge service which employs scientists to carry out research in order to provide independent scientific advice and support to EU policy.

Appgate

Appgate

Appgate is the secure access company. We empower how people work and connect by providing solutions purpose-built on Zero Trust security principles.

Forever Group

Forever Group

Forever Group is a Managed Services Provider specialising in Telecommunications, IT Support, and Cyber Security.

MicroSec

MicroSec

MicroSec is a company specializing in IoT security. We focus on bringing enterprise grade security to IoT and embedded systems.

Gigit

Gigit

Gigit’s Service portfolio focuses on your business’ needs and the integration of comprehensive cybersecurity policies, plans, procedures, and practices into your business culture and operations.

Iterasec

Iterasec

Iterasec provides a full range of security services to hacker-proof your products and make software engineering process secure by design.

PreCog Security

PreCog Security

PreCog Security is a US based cybersecurity risk mitigation company. We specialize in helping you find, minimize and manage vulnerability risk within your product, network and process.

Telesystem

Telesystem

Telesystem empowers businesses across the USA with a range of innovative network, communication and collaboration solutions.

Descope

Descope

Descope is a service that helps every developer build secure, frictionless authentication and user journeys for any application.

NetScout Systems

NetScout Systems

NetScout assures digital business services against disruptions in availability, performance, and security.

Hexiosec

Hexiosec

Hexiosec (formerly Red Maple Technologies) is a technical consultancy and product company founded and run by engineers from the UK Intelligence and Defence communities.

Antivirus Tales

Antivirus Tales

Antivirus Tales offers a platform to resolve all types of antivirus-related issues. The platform also provide various blog articles and informative guides to fix antivirus software errors.

HanaByte

HanaByte

HanaByte is a security consultancy focused on delivering state of the art solutions in the cloud. We specialize in delivering cloud services with an emphasis on security.