According to IBM, in 2021, phishing attacks caused 17% of all data breaches, moving up from fourth to the second most common cause of data compromise in only a year. It is also the second costliest type of breach, with the average global cost reaching $4,65-million.
While these numbers demonstrate that many organisations do not precisely understand how to avoid phishing attacks, NordPass experts predict it will get even worse in the near future due to the emergence of new types of phishing.
This year, the Browser in the Browser (BitB) attack was exposed, posing a threat even for tech-savvy businesses.
Until now, phishing attempts were often recognizable with an attentive eye — malicious sites usually contain a domain name that is different from the original site, substitute letters (such as 0 instead of O, one instead of l), and the “http” instead of “https” within their links.
This year, a new type of sophisticated attack — Browser in the Browser (BitB) — was revealed, raising concern for both individuals and businesses. The attackers have learned how to fabricate a page identical in its behavior and looks to the original site, which also has a trustworthy-looking URL with the “https” prefix and the correct domain.
Once a user visits a malicious site (for instance, by clicking on a phishing link) and chooses to log in via single sign-on option (SSO), they are presented with a perfectly fabricated pop-up in a fake browser window encouraging them to sign in with Google, Apple, Microsoft, or other third-party credentials.
Since the SSO feature is familiar looking and widely popular, users rarely hesitate before filling in their personal information, which then gets in the hands of the attacker.
Similarly to other phishing attacks, the user here has to be drawn to the malicious page. A common practice of hackers is to send a person a compromised link via email or messaging platforms.
According to Gediminas Brencius, head of product at NordPass, neither the size of a business nor its turnover determines if the company is subject to a phishing attack, meaning every enterprise is a likely target. The scenario is a no-brainer: via messaging apps or e-mail, an employee might receive a compromised message and open the link from there, leading to an unfortunate giveaway of account credentials.
Having this much, an attacker can extensively disrupt business activities. Recovery from this disruption usually puts a significant financial burden on the company, considering the organization needs to get back on its feet, fill the gaps in its cybersecurity picture, and regain its reputation, clients, and intellectual property. In some instances, phishing attacks can paralyze a business completely.
“There are people whose actual profession is online phishing,” says Brencius. “Like some magicians, they work full-time mastering illusion building. They navigate us towards their goal, and we blindly follow because they are professionals who know what they are doing.
“Most internet users have too little experience to spot a phishing attack, also considering how fast the hacking evolves. It is high time to admit that these technologies are becoming more intelligent than us.”
As with other phishing attacks, BitB, in the end, is a result of human error, he adds.
While the naked eye cannot differentiate a malicious site from the original page, a password manager comes in handy. Usually, once it recognizes the website a user has an account for, autofill turns on and allows the use of the credentials saved in the password vault. Password managers are developed to identify an exact match with the website’s data.
However, since a fabricated SSO login page is not a real browser window, this technology solution cannot recognize it and offers no auto-fill option. That’s the first red flag that the site might be malicious.
In addition to using a password manager, NordPass experts recommend using multi-factor authentication (MFA) to secure shared business accounts and employees’ emails. Also, it is crucial to be critical of your actions online: think twice before opening a link and do not blindly trust a spam filter or the e-mails received from senders you never interacted with.