Wave Systems Corp. (fka WAVXQ)

[Genz2]

Hackers dangle a wide variety of phishing hooks beyond email

Wave VSC 2.0 could help protect companies' computers in the face of the phishing that is presented in this article.
https://www.wavesys.com/products/wave-virtual-smart-card

https://www.itproportal.com/features/hackers-dangle-a-wide-variety-of-phishing-hooks-beyond-email/

Browsers and browser users are the new OS that need increased protection in order to stop phishing that leads to breaches and other damage

A recent report from Barracuda Networks found that 87 per cent of respondents faced an attempted email-based phishing attack in the past year, making it clear that email-based phishing continues to be a major threat vector. But what happens when improved security defences and employee awareness training make email phishing threats less likely to succeed? Well, if nothing else, hackers are smart and resourceful. They just change to phishing tactics beyond email.

Today, most security teams are finally becoming more aware of the large and growing threat of sophisticated phishing attacks that tempt employees outside of email. These new and fast-evolving attack vector targets users with increasingly sophisticated phishing attacks delivered via ads, search results, pop-ups, browser extensions, social media, chat applications, “free” web apps, and more.

Such sneaky socially engineered attacks often appear in an “arena of trust,” like a legitimate website or social media application. They deceive employees into offering up personal credentials or visiting malicious web pages that compromise their browsers and do keylogging and other malevolent actions that are hard for traditional security solutions to detect.

Hackers are preying on human fallibility with HTML-based attacks that evade existing defences by design. Disguised as legitimate web traffic, they slip through firewalls and secure web gateways. And with these new phishing campaign typically lasting just hours, existing threat-based defences can’t keep up with fast-moving attacks. In essence, browsers and browser users are the new OS that need increased protection in order to stop phishing that leads to breaches and other damage.

New types of phishing attacks are on the rise

The growing use of the Web, SaaS applications, social media, and other Internet-based resources for daily tasks is making it an increasingly appealing attack vector for hackers. While employees are on the Web or using social media, they are vulnerable to a growing variety of complex phishing attacks outside of their inbox. And with devices such as laptops and phones increasingly being dual use devices, used for both business and personal use, compromises that take place during personal time can compromise a device and help hackers gain entry into corporate networks.

Here is a brief roundup of the most common types of phishing attacks beyond email on the rise today, and why organisations should be on the alert.

Fake logins and credential stealing

It starts out looking real enough. You search for a login page for your Facebook, Google, or Dropbox account at work and come across what appears to be a legitimate page, so you enter your credentials into the phony login. This mistake makes you fair game for attackers to steal your info and get access to your critical files and passwords, and possibly even infiltrate the larger corporate network.

In the example below, attackers provide a custom Dropbox phishing page that allows users to gain access through the trusted email login source of their choice. Regardless of the selection, once the user enters his or her credentials in any of the above logins, the form will submit the stolen information through a php script of the same name as the popup htm. In each php, the attacker has written a code to send the collected information to this email address.

Malicious browser extensions and ads

According to a recent report, Google says it removed 3.2 billion ads from its platforms in 2017, nearly double the total number of “bad ads” from just a year earlier. That equates to removing about 100 ads per second.

Google also reported that cybercriminals infected more than 100,000 computers with browser extensions that stole login credentials, mined cryptocurrencies, and engaged in click fraud. The malicious extensions were hosted in Google’s official Chrome Web Store. These browser extensions and related HTML malware are often promoted via ads, search engines, and social media to trick users through increasingly sophisticated and trustworthy social engineering methods.


rest at link -