Cyber criminals are increasingly sophisticated in how they target people. And websites that appear legitimate, but are dangerous, are a common platform for their campaigns.
It’s easy for people to be complacent when doing daily online tasks like research, shopping, paying invoices or checking social media. Consider Proofpoint research findings from our 2023 State of the Phish report, which covers the threat landscape in 2022:
- Over one-third of working adults took at least one risky action, such as clicking a malicious link or downloading malware, or exposing their personal data or login credentials.
- Over 60% of working adults don’t know that an email link text might not match the website it leads to.
These data points about wide gaps in knowledge are alarming. Our research also shows that 84% of organizations were hit by a successful phishing attack in 2022—and these attacks rely on people clicking something malicious.
People are the first line of defense for an organization. Let’s look at recent threat trends in web browsing they must be resilient against.
- AI-powered chatbots such as ChatGPT
- Multi-Factor Authentication (MFA) phishing
- Browser-in-the-Browser (BitB) attacks
The charm and alarm of AI chatbots
AI-powered chatbots have quickly become popular due to their ability to instantly assist through natural language interactions. ChatGPT is the best-known AI chatbot, and there are others such as Microsoft Bing and Google Bard.
These chatbots are often accessed through a web browser. The immediacy of giving and receiving information opens up many security risks for misinformation and disinformation.
People may type personal information into the browser in response to an AI chatbot. And as we’ve seen in the past with banking injects, any transmission of personal information through the browser could become a target for attackers.
Chatbots collect user data to help their performance and personalize their interactions. This may also raise privacy concerns about personally identifiable information (PII). If the data isn’t stored safely or encrypted adequately, there could be unauthorized access that leads to identity theft or data breaches.
The menace of multi-factor authentication (MFA) phishing
As MFA has become a standard security practice, “man-in-the-middle” MFA phishing techniques have evolved to steal MFA tokens.
In an MFA phishing attack, the victim goes to a spoofed page that uses a reverse proxy to display the login interface of legitimate service. Their log in attempt seems to proceed as normal, but when the victim types in their MFA code and other user credentials, the reverse proxy intercepts and steals their MFA token.
Now the attacker can bypass the MFA security layer and get into the user account. They might access sensitive data, personal information and financial details. They can also steal personal information for identity theft or use the account to access other systems and private data.
Beware of browser-in-the-browser (BitB) attacks
This advanced form of credential phishing is difficult to detect. In addition to creating a convincing phishing page, the attacker also creates a fake pop-up Single Sign On (SSO) window. This is what users see when they decide to log into a service with credentials from a trusted site like Google, Apple or Twitter.
The fake SSO login is created by modifying the code of the phishing website to add another, separate, embedded webpage within the phishing page. If the user enters their credentials for the trusted site, the attacker harvests them and potentially has access to a key component of the victim’s digital identity.
Takeaway: People’s actions are the best safeguards
Web browsers have security features that will alert you to unsafe possibilities. But they won’t prevent taking an unsafe action. It’s up to each person to stop, think, and act or react. That’s why security awareness education is an essential part of helping users understand how to recognize threats and apply their knowledge to real-world situations.
It’s crucial to pay attention to the details of a website and consider elements and behaviors about its safety, such as:
- Pop-ups that look like browser messages asking you to install or upgrade software.
- Free downloads such as movies, music or videos that have hidden malicious software.
- Free offers asking for personal information in exchange for a giveaway.
- The appearance of known brands that create a false sense of security. You might recognize the brand, but do the images look legitimate?
- The core domain name of the website is correct (such as “microsoft.com”), but the rest of the URL has unusual words or spelling.
- Website URLs that appear in search results but aren’t legitimate links.
- Shortened URLs from services like Bitly and TinyURL that can mask the true identity of a link.
- Browser warning messages that a website isn’t secure or can’t be authenticated.
- Suspicious browser functionality like a missing security certificate.
- A website that asks you to input sensitive or financial information. Don’t do it unless you trust the source.
- Keep your browser software updated to protect against known security issues. Be cautious about extensions and automatic updates for plugins.
“Web Browsing Road Trip” is the theme for the 2023 Cybersecurity Awareness Kit from Proofpoint.
Next step: Get the Cybersecurity Awareness Month Kit now
Every October is Cybersecurity Awareness Month—an important time to empower users to protect themselves and their organization against today’s threats.
To help your efforts this October, Proofpoint has released a free 2023 Cybersecurity Awareness Kit that focuses on the crucial theme of safe, secure web browsing. The Web Browsing Road Trip kit has four weeks of curated content and communication about online safety, along with pre-launch preparation and suggestions for how to wrap up the campaign.
Download and use our Cybersecurity Awareness Month Kit throughout October, or whenever you need a program boost.
A year-round security awareness program is likely to deliver better results when it comes to reducing your people risk. Visit our Cybersecurity Awareness hub to learn more about how you can turn your users into cybersecurity road warriors, both at work and at home.