Browser-Based Phishing Attacks Increased 198% in 2023 as Threat Actors Grow More Evasive, Menlo Security Research Finds

Thirty percent of browser-based phishing attacks are now classified as evasive, allowing cybercriminals to successfully exploit human vulnerabilities and bypass traditional security tools

MOUNTAIN VIEW, Calif.--()--Menlo Security, a leader in browser security, today released its 2023 State of Browser Security Report, demonstrating rapid growth of Highly Evasive Adaptive Threats (HEAT) targeting the browser. The research uncovered a 198% increase in browser-based phishing attacks in the second half of 2023 compared to the first half of the year. When specifically looking at attacks classified as evasive, the researchers observed a 206% increase.

Evasive attacks – those that utilize a range of techniques meant to evade traditional security controls – are growing at a faster rate than other types of browser-based phishing attacks because cybercriminals know they have a higher rate of success employing these methods. Evasive threats now make up 30% of total browser-based phishing attacks and include tactics such as SMS phishing (smishing), Adversary in the Middle (AITM) frameworks, image-based phishing, brand impersonation or Multi-Factor Authentication (MFA) bypass. The full 2023 State of Browser Security Report contains additional details on these tactics.

Browser usage across managed and unmanaged devices has skyrocketed in recent years, exposing an immense attack surface enterprises are grappling to cover. Traditional network-based security controls unfortunately aren’t detecting zero-hour phishing attacks that deliver ransomware and steal credentials. Over a 30-day period, the Menlo Labs Threat Research team observed more than 11,000 zero-hour phishing attacks that exhibited no signature or digital breadcrumb, meaning no existing Secure Web Gateway (SWG) or endpoint tool could detect and block those attacks. The team also discovered that 75% of phishing links are hosted on known, categorized or trusted websites – not websites that can be easily identified as malicious or fly-by-night websites.

“Humans remain the weakest link in the cybersecurity chain – unintentionally divulging corporate credentials and secrets – and threat actors have decidedly shifted focus to web browsers as THE point of entry to gain initial access,” said Amir Ben-Efraim, Co-Founder and Chief Executive Officer of Menlo Security. “Menlo Security is continuously detecting and preventing an influx of new browser-based phishing campaigns that are highly targeted, sophisticated and evasive, bypassing traditional network and email-based detection tooling. It’s imperative that CISOs focus their defenses on browser security as the only effective prevention strategy against these modern threats.”

To compile this report, the Menlo Labs Threat Research team examined threat data and browser telemetry gathered from Menlo Security Cloud, including over 400 billion web sessions during 2023. Additionally, the team took a closer look at a 30-day period in Q4 2023 to glean more specific insights about cybercriminals’ evolving tactics and attack patterns. Other key findings from the State of Browser Security Report include:

  • Over 550,000 browser-based phishing attacks were detected in the last 12 months.
  • Legacy Reputation URL Evasion (LURE) attacks increased by 70% since 2022. LURE attacks are characterized by a method in which threat actors evade web filters that attempt to categorize domains based on implied trust.
  • More than 73% of LURE attacks originated from categorized websites, based on 1 million URLs analyzed by Menlo Security researchers.
  • Six days is the average latency between when a zero-hour phishing attack first appears and when it is finally added to the detection mechanism for traditional security tools.

“Evasive techniques are handcrafted to fly under the radar and are particularly hard for security teams to spot. Unfortunately, modern security tooling such as SWG and Endpoint Security are ineffective as attackers are able to bypass these protections,” said Devin Ertel, Chief Information Security Officer of Menlo Security. “However, our research found that browser security was able to stop these zero-hour phishing attacks even when they exhibited sophisticated evasion. Organizations must adopt a targeted approach to browser security by leveraging various AI-based approaches – including object detection, URL risk assessment, and web page element analysis – to fight against today’s evasive cyber threats.”

Download the full 2023 State of Browser Security Report to read the findings and see how today’s threat actors are evading traditional security tooling.

To learn more about how browser security can eliminate the browser attack surface, visit Menlo Security’s platform overview page or schedule a demo to learn how Menlo Security can protect your organization against zero-hour phishing, malware, and ransomware attacks targeting the browser.

About Menlo Security

Menlo Security protects organizations from cyber threats that attack web browsers. Menlo Security’s patented Cloud-Browser Security Platform scales to provide comprehensive protection across enterprises of any size, without requiring endpoint software or impacting the end user-experience. Menlo Security is trusted by major global businesses, including Fortune 500 companies, eight of the ten largest global financial services institutions, and large governmental institutions. The company is backed by Vista Equity Partners, Neuberger Berman, General Catalyst, American Express Ventures, Ericsson Ventures, HSBC, and JPMorgan Chase. Menlo Security is headquartered in Mountain View, California. For more information, please visit www.menlosecurity.com.

Contacts

Emily Ashley
Lumina Communications for Menlo Security
Menlo@luminapr.com

Contacts

Emily Ashley
Lumina Communications for Menlo Security
Menlo@luminapr.com