How companies can combat the threat of new browser-in-the-browser phishing attacks by taking back control of network access and password distribution.
By Julia O’Toole, founder, and CEO of MyCena Security Solutions
In 2022, the greatest threat vector is phishing attacks, which are responsible for more than 80% of all breaches to individuals and organizations. These are a result of misused or stolen passwords; hackers, despite their name, don’t “hack in”, but instead log in using credentials phished via social engineering. This potential for an error in judgment on the individual’s side can have great ramifications for whole organizations.
Cyber attackers are also getting smarter in how they breach organizations. In mid-March 2022, a novel phishing technique called browser-in-the-browser (BitB) attacking was uncovered by an Infosec researcher, which uses simulated browser windows and other authentication service providers to steal login credentials.
BitB attacks act as an extension to existing clickjacking or user-interface redressing that alters the appearance of browsers and web pages to trick users to bypass security controls. With this technique, an entirely fabricated replica is created – a user thinks they are seeing the real popup window, but it’s just faked within the page.
“Very few people would notice the slight differences between the two,” according to the report. “Once landed on the attacker-owned website, the user will be at ease as they type their credentials away on what appears to be the legitimate website.”
Remove Danger by Retaking Control
It’s up to businesses to remove the danger presented by BitB phishing attacks by ensuring that employees can no longer create, view or type passwords to access the company files, apps, and systems. This amounts to taking back access control and removing the risks of human error from the network access process.
To the untrained eye, which is likely to be the majority of workers, these types of phishing attacks are dangerous yet impossible to spot. All it takes is for one unsuspecting employee to make a mistake and it compromises the entire network.
Attacks like these aren’t for quick cash payouts. Actors will sit inside your system and wait to cause the most damage. All the while, the user continues working without realizing they’ve unwittingly given their credentials away.
This type of attack has been utilized in the past. In 2020, cybercriminals used similar BitB techniques on the video game digital distribution service Steam to gain access to consumer credentials. Whilst this may cause damage to individuals, what we’re seeing now is a more aggressive assault on an organisational level. For the safety of your business, it’s time to take back responsibility and start controlling your own access.
Password Managers are Not the Solution
While some have recommended using a password manager and Single Sign-On tools to circumvent the problem, as they automatically input passwords without falling for the replica windows, this still presents major issues.
Centralizing multiple passwords behind a manager’s master password does nothing to prevent access fraud. It only centralises access information for hackers in a breach scenario. This was the case of the Lapsus$ group who, after infiltrating Okta’s network, were able to easily find an Excel document filled with LastPass administrators’ passwords to access Okta’s customers.
Password managers and Single Sign-on tools may provide a surface layer of convenience for users, but in the event of a breach also offer their company’s keys to the kingdom on a silver platter. Instead, access segmentation and encrypted passwords distribution is a more effective solution that completely removes the potential threat of human error or fraud from the equation and safeguards access integrity.
Additionally, businesses might see the appeal in doubling down with multi-factor authentication (MFA) methods as a precaution. But their initial loss of access control means that not even MFA can guarantee the legitimacy or integrity of access. Cyber attackers have found many ways to infiltrate those as we’ve seen recently through known vulnerabilities in MFA protocols. Relying on MFA merely postpones an inevitable breach of access, rather than securing your cybersecurity and cyber resilience outright.
Relying on Traditional Approaches is no longer enough
Cyber attackers are more intelligent and relentless when it comes to modern-day phishing techniques. Returning access control, segmentation and security to the organizational side ensures that employees no longer need to create, see, or type passwords. Using a safe path from receiving, storing to using encrypted credentials, means they don’t have to worry about leaking them accidentally to cyber actors.
By segmenting access across their entire digital infrastructure, and distributing unique encrypted passwords directly to their employees, businesses remove the potential for unauthorized password sharing, theft, or phishing. Any breach can be contained to one system, meaning that in the event of another BitB attack, the rest of your network remains safe from harm. Through this, organizations can stay one step ahead of ransomware threats.
About the Author
Julia O’Toole, founder, and CEO of MyCena Security Solutions, a breakthrough solution to manage, distribute and secure digital access. An inventor and author of several patents, Julia uses maths, neuroscience and technology to research and design simple yet innovative solutions for complex problems. Julia’s areas of research and expertise include cybersecurity, collaboration and search. Julia founded MyCena in 2016, which has since become a market leader in segmented access management and safe password distribution. With its ground-breaking patented security system, MyCena protects companies from the risks of password error, fraud and phishing, loss of command and control, ransomware, and supply chain cyberattacks.