Web Browsers Are Doorways To Cyberattacks
Proxies are out. Modern edge security solutions are in. – Sponsored by Conceal
– Steve Morgan, Editor-in-Chief
The Browser Security Report 2024 will guide readers through the functionality and evolution of browsers, the current dominant market players, and the security challenges associated with their use. We will also explore how browser vendors are safeguarding their users and we will arm you with the relevant data and statistics you should know concerning browser security.
In an ever-evolving landscape full of technological innovation, including machine learning (ML), artificial intelligence (AI), automation, and mobility, we often forget just how important internet browsers are.
Internet browsers are only a few decades old, and yet, are now permanent fixtures in how we access the web on our devices. We require them to tap into search engines, navigate to websites, and access online services ranging from e-commerce and finance to social media.
As indispensable as browsers are, their security is of paramount importance to businesses and consumers. “The fact is, email is no longer the primary attack vector — the web browser is,” according to Gordon Lawson, CEO at Conceal, in a recent Forbes post.
Cybercriminals strike us every day, hoping to obtain our personal information, hijack our online accounts, load our systems with malware, or spy on us — and browsers are a primary avenue for attacking end users.
THE BROWSER WARS
The first web browser was developed in 1990 by Tim Berners-Lee, a British scientist working at CERN, the European Organisation for Nuclear Research. The browser was called WorldWideWeb, but was later renamed Nexus to avoid confusion with the World Wide Web.
Two very limited browsers, the text-based Lynx and graphical Mosiac, were then created. Four years later, Netscape Navigator, a simple-to-use proprietary portal to access the web, was released to the public and remained supported until 2008.
Since their inception, internet browsers have grown in variety and function. The launch of Netscape was the catalyst for what Mozilla describes as “the browser wars,” in which Microsoft stepped up as a new contender.
In 1995, Microsoft debuted Internet Explorer. To ensure the new browser reached a wide audience, the Redmond giant bundled IE 1.0 for free with the Windows 95 operating system. Within months, another version was released for compatibility with Apple Macintosh machines.
Four years on, Microsoft had cornered 75 percent of the market. By 1999, the company had conquered almost all of the market, at an estimated 95 – 99 percent.
Netscape — which, as an organization, also developed JavaScript in the meantime — complained that such a monopoly restricted choice for users, many of whom were just signing up for dial-up internet services at home.
Litigation and the question of antitrust laws in the U.S. muddied the waters in browser distribution, and while Netscape was acquired by America Online (AOL) in 1998, Netscape’s browser code was released to the open source community and this paved the way for the Mozilla Project.
During the 1990s and 2000s, other browsers came to market, including Opera, Apple’s Safari, and Mozilla’s Firefox browser. By 2008, Google — now an established market leader in search engines — launched Google Chrome, joining the fray.
Vendors including Google gradually chipped away at Microsoft’s dominance in the market. Facing stiff competition from other browsers, Microsoft launched the Edge browser in 2015 in an attempt to improve upon IE and regain its position as a browser leader.
Since then, smaller browser projects have been released that focus on security, privacy, customization, open source technologies, and more — but overall, Google, Microsoft, Apple, and Mozilla retain the largest user bases.
DOMINANT BROWSERS IN THE MARKET
The dominant desktop browsers in the market today are Google Chrome, Apple Safari, Microsoft Edge, Mozilla Firefox, and Opera. These major players are joined by Samsung Internet as a mobile browser.
As of Q4 2023, according to Statcounter, the dominant browsers in the market accounted for the following market shares worldwide:
- Google Chrome: 63 percent
- Apple Safari: 20 percent
- Microsoft Edge: 5.5 percent
- Mozilla Firefox: 3 percent
- Opera: 3 percent
- Samsung Internet: 2.5 percent
In the U.S., browser market shares are similar, although Microsoft’s Edge browser, Mozilla Firefox, and Opera account for a larger market share.
- Google Chrome: 52 percent
- Apple Safari: 30 percent
- Microsoft Edge: 8.5 percent
- Mozilla Firefox: 3.5 percent
- Opera: 4.5 percent
- Samsung Internet: 1 percent
Regarding mobile browsers, Chrome and Safari are still at the top of the ranks, but UC Browser (developed by Alibaba Group subsidiary UCWeb) and the default Android browser also make an appearance.
- Google Chrome: 64 percent
- Apple Safari: 26 percent
- Samsung Internet: 4.5 percent
- Opera: 2 percent
- UC Browser: 1.5 percent
- Android: 0.5 percent
BROWSER FUNCTIONALITY
Browsers act as bridges between us, the end user, our PC, smartphone, tablet, or Internet of Things (IoT) device, and the web.
Internet browsers process our requests and send them to the appropriate servers by performing a Domain Name System (DNS) lookup and finding IP addresses associated with our queries.
Requests are then sent over Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol Secure (HTTPS). Content including CSS styling scripts, JavaScript, files, text, and images are then translated, rendered, and loaded into web pages and online functions.
Typically, a browser’s user interface (UI) on desktop or mobile will include a landing page, an address bar, and elements including bookmarks, buttons, tabs, and other features such as shortcut links to websites and services.
However, today’s browsers are far more than attractive user interfaces and gateways to the internet. Other valuable browser functions now include:
- Security features: Browsers include a vast array of security features designed to protect end users. These include firewalls, phishing and malicious script alerts, antivirus software, data breach monitors, and pop-up blockers. Users can select security options from a browser’s settings menu.
- Cookies: Cookies are small text files containing data related to your online visits and activities. Some cookies are necessary for websites to operate properly, whereas others may collect your information for purposes including online tracking and targeted advertising.
- Browser logs: The majority of browsers will log your activity, and these records can be accessed by going into your history. While this can be deemed a privacy risk, if you accidentally close important tabs and pages, you do have the means to find them again.
- Password managers: Password managers are a relatively recent and welcome option in many web browsers. Password managers or vaults will store your online account credentials and allow users to autofill username and password combinations online — and so they can use complex combinations without having to remember them.
- Virtual Private Network (VPN) connections: VPNs provide encrypted tunnels that help mask your online activity. Many VPNs are provided as standalone security solutions but browsers like Opera now include inbuilt VPNs to strengthen privacy online.
- Incognito browsing: The majority of browsers offer private or incognito browsing. When a user elects to use a private browsing mode, a session is launched which is separate from the main browsing window, and temporary data — including activity logs — are not collected or stored on your device.
- Extensions and add-ons: Many web browsers will allow users to equip their browsers with additional software. Extensions and add-ons include ad blockers, utilities, AI-powered assistants, and accessibility bolt-ons.
In today’s world of data breaches and cybersecurity incidents, many browser developers prioritize functions and features that improve privacy and security.
Privacy and security-focused browsers will include tight cookie management, anti-tracking features, VPNs, encryption, and transparent privacy policies, among other features. They may also utilize open source code to allow third parties to perform security audits without limitation.
Privacy and security-focused browsers include Brave, Tor, DuckDuckGo (mobile), and Epic.
INTERNET USERS: A GLOBAL VIEW
The arrival of the internet, arguably, has been as transformative as the industrial revolution. It has provided a new way to access information, communicate, and conduct business — but with every new individual coming online, the potential browser attack surface expands.
Cybersecurity Ventures estimated that there were six billion internet users in 2022, a figure now projected to reach 7.5 billion by 2030. This means that 90 percent of the world’s population, aged six years and older, will join the online community within the next seven years.
Whether on mobile or desktop, each individual will require a browser to access the internet. This provides a greater potential surface for cybercriminals to conduct web-based attacks.
THE REMOTE BUSINESS WORLD
The pandemic forced many organizations and businesses worldwide to overhaul their entire operation, pivoting to digital solutions and remote channels in order to survive.
While digital transformation often takes years to plan and implement, the nature of the event pushed many companies to move online, with 71 percent of companies now owning a website — a figure greater than a year prior and largely attributed to the pandemic. Furthermore, 28 percent of all business is now conducted online, a statistic we can expect to increase due to the popularity of e-commerce.
Not only are consumers now more likely to use browsers to shop online or access a service, but companies — and their employees — now commonly rely upon web portals to access corporate resources.
Another facet of the pandemic that should not be forgotten is remote work. While some jobs were remote before 2020, now, roles may offer hybrid and fully remote options, as many employees do not want to return to the office full-time.
A recent survey of 1,000 IT decision-makers by Dell, the Global Data Protection Index (GDPI) Snapshot, found that 70 percent of respondents believe remote work increases the risk of cyber threats.
Consequently, companies that now operate web-based portals, accessible from the office and from remote locations, may be more at risk of compromise — especially if remote employees are required to use their own equipment and are not practicing adequate browser security hygiene.
THE BIGGEST RISKS TO BROWSER SECURITY
Cybersecurity Ventures expects global cybercrime costs to grow by 15 percent per year over the next three years, growing to $10.5 trillion USD annually by 2025.
According to IBM, on average, organizations take 277 days to detect and contain data breaches, and browsers can be one of the many pathways cybercriminals can exploit to infiltrate their networks.
Despite browser developers consistently improving browser defenses, human error can come into the equation — and mistakes leading to breaches aren’t always avoidable.
These are the most significant cybersecurity risks to browsers and their end users in 2023.
Phishing
Phishing is the practice of sending fraudulent messages designed to entice victims into parting with their information. Phishing can take place over email, voice messages, website content, and social media channels.
Fraudsters will often impersonate legitimate services and organizations, such as banks, and will attempt to elicit an emotional response to prompt victims to take a specific action. For example, phishing emails could demand payment on behalf of the IRS and include a link to a malicious website. Or, bots could spread phishing messages and malicious files across social media channels including Facebook and Telegram.
36 percent of all security breaches begin with a phishing attack. In 2023, 3.4 billion phishing emails were being sent every day.
Malicious Websites
Researchers estimate that there are over 67 million domains on the internet, with millions of requests made to these websites daily.
Malicious websites are often disguised as legitimate services including financial companies, government services, and e-commerce stores. They are designed to steal information, including PII and financial data, and may also lure visitors into downloading and executing malware.
Some malicious domains will mask themselves through typosquatting, in which website addresses appear legitimate at first glance, but upon further examination, are slightly different. For example, microsoft.com could be impersonated by the address micros0ft.com.
Drive-by Downloads
Drive-by downloads, often facilitated by malicious websites and servers, install malware on an end user’s machine without their consent. Malware including ransomware and trojans are often packaged up with exploit kits such as Angler and Blackhole, and if a browser is found to be vulnerable, malicious code will execute on the target machine.
Session Hijacking
Typically performed by abusing tokens generated to authenticate an internet user when they begin a browser session, session hijacking allows cybercriminals to take control of a victim’s online experience.
Also known as cookie jacking, these attacks can occur passively through network sniffing and monitoring, or may also occur through the real-time theft of a user’s session token.
Once an attacker has seized control of an authenticated session, they can perform various malicious activities including credential theft, browser redirection, and malware deployment.
DNS Spoofing
Domain Name System (DNS) spoofing, also known as DNS cache poisoning, is the redirection of traffic to malicious websites.
DNS spoofing requires attackers to poison DNS server entries, usually through abuse of the Address Resolution Protocol (ARP) or via MiTM attacks to spoof IP addresses and redirect browser users to another, malicious location.
SQL Injections
Named as one of OWASP’s top modern security threats, SQL injections are web security vulnerabilities that permit attackers to intercept and alter queries sent between clients and applications.
While SQL injection attacks are performed on a database with a lack of input validation rather than web browsers, vulnerable websites — and applications — could be forced to display malicious content to visitors.
Cross-Site Scripting, Cross-Site Request Forgery
Cross-site scripting (XSS) is the practice of injecting malicious client-side code into trusted websites and applications. These scripts will load when a user visits the compromised resource and are executed within the victim’s browser.
XSS scripts can reveal session cookies, steal sensitive information, and exfiltrate user input. An example is Magecart attacks, in which malicious JavaScript code is injected into payment portals to skim payment card details that are then sent to attacker-controlled servers. British Airways and Ticketmaster have been victims of such attacks.
Another risk to browsers is Cross-Site Request Forgery (CSRF) attacks. Authenticated users are forced to unintentionally perform specific actions, such as changing a password, altering account details, or making a transaction.
CSRF attacks are typically performed through session hijacking and abusing cookie handling processes when websites have authentication weaknesses.
Browser Vulnerabilities
Browser vulnerabilities are found within the backend of browser code and must be resolved by developer and security teams.
They can include vulnerabilities to XSS and CSRF, broken authentication, weaknesses to phishing, zero-day vulnerabilities, bugs in third-party libraries, Remote Code Execution (RCE) flaws, memory corruption, or buffer overflow programming errors.
If a user does not accept security updates or they are using an outdated browser that is no longer supported, they may also be putting themselves at risk of exploitation.
Malware including Ransomware
Malware, including information stealers, trojans, and ransomware is a constant threat to browser security.
Estimates suggest 560,000 new pieces of malware are detected daily and over one billion malicious programs are now in circulation.
Furthermore, some strains of malware specialize in browser hijacking, forcing traffic redirection, tampering with user settings, and potentially stealing information stored in the browser.
Thankfully, many run-of-the-mill malware strains are blocked by modern antivirus solutions and inbuilt browser software. However, browsers can be at risk — and, by extension, their users — when malware exploits zero-day vulnerabilities yet to be patched or is able to compromise an out-of-date browser.
One of the most notorious types of malware that is a threat to browsers today is ransomware.
Ransomware, including LockBit, Cl0P, and Play can be deployed through the execution of malicious software, drive-by downloads, phishing, and browser vulnerability exploits. This can be particularly dangerous when employees use their devices to access corporate resources and web portals.
The global cost of ransomware reached $20 billion USD in 2021, up from $325 million USD in 2015. Cybersecurity Ventures expects ransomware damage costs to exceed $265 billion USD annually by 2031, with an attack on governments, businesses, consumers, and devices anticipated to take place every two seconds by 2031.
Malvertising
Malvertising, also known as malicious advertising, is either the creation or hijacking of adverts to display malicious content. Seemingly legitimate ads — out of the billions now online — containing malvertising code will send anyone who clicks on them to malicious web addresses or will trigger potentially dangerous scripts.
There have been cases where malicious adverts have slipped through legitimate ad networks and have been displayed on respected websites. For example, visitors to Yahoo in 2015 were subject to adverts launching the Angler exploit kit.
Man-in-the-Middle Attacks
Man-in-the-Middle (MiTM) attacks intercept communication between a user and an application. Cybercriminals quietly eavesdrop on communication or data transfers, typically through techniques such as DNS spoofing or Wi-Fi honeypots.
Successful MiTM attacks between a browser user and a website, for example, could lead to information theft, packet injections, malware deployment, or session hijacking.
Man-in-the-Browser Attacks
Man-in-the-browser (MiTB) attacks differ from MITM as a trojan is a crucial mechanism in browser-based attacks.
MiTB attacks require trojan malware strains to tamper with a browser and its security mechanisms, working behind the background to spy on or change actions while still displaying intended behaviors to victims.
For example, a MiTB attack could be used to conduct financial fraud as a victim is trying to conduct a transaction or make a purchase. Malware involved in these kinds of sophisticated attacks may install or manipulate extensions, browser help objects, or perform API hooking.
Malicious Extensions
Thousands of browser extensions, plugins, and add-ons are available to make our browsers smarter and to improve our online experience.
However, by giving these small pieces of software privileged access to browser functions — including logs and sessions — malicious extensions become capable of interfering with our activities, stealing data, and potentially performing other malicious actions such as installing malicious scripts or adware.
A malicious PDF reader extension able to inject JavaScript into websites during browser sessions, for example, was removed from Google’s Chrome Web Store in June — but not before the extension accounted for roughly 75 million installs.
Password, Credential Theft
Password and credential theft impacts almost every online system — and browsers are no exception.
Account credentials can be stolen or taken from public data dumps from other breaches, and if users have connected an email account to their browser sessions, infiltrating one can impact the other — potentially leading to the theft of more data.
In other attacks, cybercriminals may be able to compromise the password vaults or managers used within browser sessions. For example, the Meduza Stealer malware specializes in targeting browser-based password vaults and cryptocurrency wallets.
RECOMMENDATIONS
Organizations now operate in a digital-first environment. Our recommendations are below to mitigate the risk of browser-based attacks:
- Maintain frequent patch cycles: Browser developers form your first line of defense. Browser updates almost always contain security fixtures and improvements, and they should be applied across the board as quickly as possible.
- Stay away from suspicious websites: Users should stay away from websites that appear fraudulent as good practice. It is also recommended that when there will be any form of sensitive data transfers or financial transactions, these should only be made when a website is using strong SSL/HTTPS encryption.
- Use trusted browser extensions: Browser extensions and add-ons should only be installed if the vendor and source are trustworthy.
- Implement endpoint protection: Modern endpoint protection software can protect user sessions and devices, no matter whether they are at home or in the office. Endpoint solutions can monitor sessions and automatically block and flag suspicious activity and malicious software.
- Consider installing additional, AI-based security software: Today’s browsers and their security measures are a world away from their inception, but they should not be relied upon as your only security solution. Consider installing additional security software and threat monitors that take advantage of AI and machine learning algorithms to improve the security of browser sessions.
“Proxies, designed to filter content and provide access control, have served well in the past, but they lack real-time threat detection, don’t address modern attack vectors, limit user experience, and don’t evolve with threats,” notes Lawson. “Organizations must recognize the limitations of proxies and shift towards comprehensive, modern edge security solutions to truly safeguard their digital assets.”
– Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures.
Go here to read all of my blogs and articles covering cybersecurity. Go here to send me story tips, feedback and suggestions.
Sponsored by Conceal
Conceal is at the forefront of defending against web-based attacks, using innovative technology to detect, prevent, and shield businesses and individual users from ever-evolving online threats.
ConcealBrowse operates on the principle of proactive protection. Its AI-powered intelligence engine, ConcealSherpa, runs at machine speed with virtually zero latency to identify potentially harmful webpages autonomously, stopping cyber attacks that take advantage of weaponized links
© 2023 Cybersecurity Ventures. All rights reserved. Federal copyright law prohibits unauthorized reproduction of this content by any means and imposes fines up to $150,000 for violations. Reproduction in whole or in part in any form or medium without expressed written permission of Cybersecurity Ventures is prohibited.