How businesses take back control of network access and password distribution to combat new in-browser browser phishing attacks.
By Julia O’Toole, Founder and CEO, MyCena Security Solutions
By 2022, the largest threat vector will be phishing attacks, accounting for over 80% of all breaches to individuals and organizations. This is the result of misused or stolen passwords. Hackers don’t “hack” despite their name, instead they use social engineering to log in using phished credentials. The potential for such individual error in judgment can have a significant impact on the entire organization.
Cyber attackers are also getting smarter in how they compromise organizations. In mid-March 2022, a new phishing technique called the In-Browser (BitB) attack was uncovered by Infosec researchers. This technology uses simulated browser windows and other authentication service providers to steal login credentials.
BitB attacks work as an extension of traditional clickjacking or user interface modifications that trick users into circumventing security controls by changing the appearance of browsers and web pages. This technique creates a fully crafted clone. Users think they’re seeing a real popup window, but it’s just fake within the page.
According to the report, “very few people will notice a slight difference between the two.” “When accessing a website owned by an attacker, users can rest assured that they are entering their credentials into what appears to be a legitimate website.”
Take back control and eliminate risk
It is up to businesses to eliminate the risk posed by BitB phishing attacks by ensuring that employees can no longer create, verify, or enter passwords to access company files, apps and systems. It is like regaining access control and removing the risk of human error in the network access process.
Although this type of phishing attack is dangerous to the untrained eye that most workers are likely to be, it is impossible to detect. All it takes is one unsuspecting employee to make a mistake and damage the entire network.
These attacks are not meant for quick cash payments. Actors sit inside the system and wait until they do the most damage. In the meantime, users continue to work without realizing that they have unwittingly provided their credentials.
This type of attack has been used in the past. In 2020, cybercriminals used similar BitB technology on video game digital distribution service Steam to access consumer credentials. While this can be damaging to individuals, what we are seeing now is a more aggressive attack at the organizational level. To keep your business safe, you must now take responsibility and control your own access.
A password manager is not the solution
Some have recommended using a password manager and single sign-on tool to avoid problems, but it still has a major problem as it automatically enters the password without going to the clone window.
Centralizing multiple passwords behind an administrator’s master password will not prevent access fraud. It only centralizes access information for hackers in a breach scenario. This is the case with the Lapsus$ group, where, after infiltrating Okta’s network, they were able to easily find an Excel document filled with the LastPass administrator’s password to access Okta’s customers.
Password managers and single sign-on (SSO) tools can provide users with a superficial layer of convenience, but they also provide the company’s keys on a silver plate in the event of a breach. Instead, access segmentation and encrypted password distribution are more effective solutions that completely remove the potential threat of human error or fraud from the formulation and protect access integrity.
Additionally, businesses may find it attractive to double their multi-factor authentication (MFA) methods as a precaution. However, the initial loss of access control means that even MFA cannot guarantee the legitimacy or integrity of access. Cyber attackers have found multiple ways to penetrate, as we recently saw through a known vulnerability in the MFA protocol. Relying on MFA only defers inevitable access breaches rather than fully protecting cybersecurity and cyber resilience.
Relying on traditional approaches is no longer sufficient.
Cyber attackers are more intelligent and persistent when it comes to modern phishing techniques. Return access control, granularity, and security to your organization, and employees no longer need to create, verify, or enter passwords. With a secure path from receiving and storing to using encrypted credentials, you don’t have to worry about accidentally leaking to cybercriminals.
By segmenting access across the entire digital infrastructure and distributing unique encrypted passwords directly to employees, businesses eliminate the possibility of unauthorized password sharing, theft or phishing. Any breach may be confined to one system. This means that if another BitB attack occurs, the rest of the network is safe from harm. This allows organizations to stay one step ahead of ransomware threats.
About the author
Julia O’Toole, Founder and CEO of MyCena Security Solutions, a groundbreaking solution for managing, deploying and securing digital access. An inventor and author of several patents, Julia uses mathematics, neuroscience, and technology to research and design simple yet innovative solutions to complex problems. Julia’s research and specialties include cybersecurity, collaboration, and search. Julia she founded MyCena in 2016 and since then she has become a market leader in granular access management and secure password distribution. With a groundbreaking patented security system, MyCena protects businesses from the risks of password errors, fraud and phishing, loss of command and control, ransomware, and supply chain cyberattacks.
Julia can be contacted online at julia@mycena.co or linkedin.com/in/juliaotoole and on our website http://www.mycena.co
Fair Use Notice: “Fair use” laws allow other authors to make limited use of the original author’s work without permission. Under 17 US Code § 107, “It is not copyright infringement to use copyrighted material for purposes such as criticism, commentary, news reporting, education (including multiple copies for classroom use), scholarship, or research.” As a matter of policy, fair use is based on the belief that the public is free to use portions of copyrighted material for the purposes of comment and criticism. Fair use privileges are perhaps the most important restrictions on the exclusive rights of copyright owners. Cyber Defense Media Group is a news reporting company that reports cyber news, events, information and more free of charge on its website Cyber Defense Magazine. All images and reporting are conducted exclusively in accordance with the fair use of US copyright laws.