The enterprise web browser as the primary battleground for cybercriminals is the underlying theme of Menlo Security’s State of the Browser Security report. The report highlights the trends around attacks concentrated on exploiting web browser flaws. The report brings to the forefront that cybercriminal attacks are growing in sophistication.
Key Statistics
The State of the Browser Security report, a culmination of the research conducted by the Meno Threat Intelligence team, uncovered a number of trends. These include:
- In 2024, more than 752,500 browser-based phishing attacks were detected, which represents a nearly 140% increase over 2023
- More than 170,000 zero-hour phishing attacks were launched against Menlo customers, representing a 130% increase from the previous year
- One in five attacks displayed some form of evasive technique designed to evade traditional network and endpoint-based security controls
- Nearly 51% of browser-based phishing attacks employed some form of brand impersonation, with Microsoft, Facebook, and Netflix being the top three impersonated brands
- GenAI threats are rising, with nearly 600 incidents identified using GenAI names as imposter sites to manipulate and exploit unsuspecting victims
Why The Browser?
Enterprises are adopting an ever-growing number of cloud services and SaaS applications to conduct daily operations. As the browser becomes the primary workspace, cybercriminals and other threat actors are increasingly targeting browsers. They focus on finding and exploiting vulnerabilities and using other sophisticated methods to deliver malware.
Eric Cornelius, CEO of Conceal, explains that the web browser is extremely vulnerable because it has three attack surfaces. "Browsers are vulnerable at the application level by exploiting vulnerabilities at the code level, at the website that feeds information to the browser, and at the user level when people voluntarily provide sensitive information while browsing the web".
Attacking Browsers
Menlo Security reported that in 2024, organizations were subjected to some of the most sophisticated cyber threats they have seen. Those noted in the report include:
LURE Attacks
Legacy URL Reputation Evasion (LURE) attacks evade web filters that attempt to categorize domains based on implied trust. They use a number of methods to mask a malicious site or webpage. LURE can compromise legitimate but poorly secured websites to install malware that can be delivered through the browser. These attacks are also leveraging AI-powered techniques to create extremely realistic counterfeit sites.
“0.0.0.0 Day” Vulnerability
The 0.0.0.0 Day vulnerability was discovered in 2024 by researchers from Oligo Security. They uncovered a flaw in how browsers handle network requests. The vulnerability allows public websites to bypass security controls to gain unauthorized access to the browser’s local network and execute arbitrary code on a host using the address 0.0.0.0. This vulnerability only impacts MacOS and Linux systems.
Cloud Hosting Abuse
Cybercriminals are exploiting cloud services to host malicious content, such as phishing sites, counterfeit sites, and command and control servers. Cloud services are less likely to discover the activities of threat actors, thus allowing them to operate in the clear. By abusing legitimate cloud services, attackers can act anonymously and can rapidly deploy, scale, and move their operations.
Malvertising Campaign
Cybercriminals are leveraging trusted advertising networks to deliver various malicious payloads. Bad actors abuse traffic distribution systems (TDSs), which are used by digital advertising networks to filter traffic to specific destinations. Abusing this system makes the illegitimate appear legitimate. Menlo Security specifically called out the VexTrio campaign as a large-scale operation that is a substantial threat.
Phishing-as-a-Service (PhaaS)
Criminal entrepreneurs offer phishing kits as part of PhaaS operations. PhaaS allows unsophisticated attackers the ability to conduct phishing campaigns and provides a layer of anonymity. The use of these automated hacking tools will expand and be improved to leverage AI and expanded cloud services.
AI-driven Cyber Fraud
AI-driven cyber fraud will rise, making it harder to distinguish between legitimate and malicious sites. AI-driven deepfakes impersonating trusted brands and individuals will fuel targeted phishing and credential theft. The exploitation of user trust through sophisticated social engineering techniques, enhanced with AI, will make it much more difficult to determine if a website, social posting, or ad is fraudulent.
Improving Browser Security
Attackers have trained their focus on the browser. Organizations must do more to ensure that these applications are secured. The industry is responding to the need for improved browser security.
One option to improve browser security is to deploy a secure cloud browser. This is a cloud-native web browser application with a virtualized container. The web browsing operations are separated from the user endpoint. No executable web code reaches the end user, thus preventing the delivery of malicious code, malware, and other potential threats. "Why manage a third-party browser with a potential zero-day vulnerability and delayed patching issues when the air-gapped approach of the cloud browser can boost productivity with enhanced security controls.", said Ritesh Agrawal, VP of Product Management at Zscaler. "It is best to detonate a suspicious webpage away from the endpoint."
An alternative to the cloud browser is secure browser extensions, which arm standard browsers with advanced security capabilities. Secure browser extensions offer deep content analysis of the complete site content and the Document Objective Model (DOM) to uncover a range of attack types without replacing well-known browsers. Threat detection, phishing protection, URL content blocking, policy enforcement, and centralized administration and reporting are some of the features incorporated into these extensions.
No matter which technology is selected, the solution must support the concept of zero trust. Many organizations are adopting the zero trust framework, but browsers are not always included in the equation. “Zero Trust is an important concept, but it needs to be incorporated at the browser level,” Cornelius states. “Websites are exactly what should not be trusted. Protecting the browser provides the verification, visibility, and segmentation required in a zero trust environment.”
Summary
It is clear from Menlo Security’s report that the browser has become the enterprise’s greatest security liability. Cybercriminals constantly adjust their tactics based on the obstacles placed in front of them. Stronger network, email, and endpoint security have had a positive impact, but attackers are moving to leverage cloud-based actions that directly exploit the browser.
The browser has not received the same level of priority for security and administration as other business components, even as it has become the primary tool for cloud service operations. Enterprises need to understand that this ubiquitous application must be fortified to prevent sophisticated AI-enabled phishing, website forgery, and vulnerability exploits.
As organizations strive to improve overall cyber resilience, they must ensure that browser security solutions, especially those that enable a zero-trust framework, are deployed. This will result in greater security while maintaining a positive user experience.
