The post A CISO’s Guide to Bot Protection Effectiveness – Breaking Open the Black Box appeared first on Security Boulevard.

The post Privileged Account Security in Active Directory appeared first on Security Boulevard.

The post Understanding Privileged Access Management (PAM): A Comprehensive Guide appeared first on Security Boulevard.

Several macro-trends – such as growing digital transformation, rising hybrid work and, especially, booming AI adoption – have created an increasingly sophisticated threat landscape.

The post In a Growing Threat Landscape, Companies Must do Three Things to Get Serious About Cybersecurity appeared first on Security Boulevard.

The post What is CICRA Audit and Why It Matters? appeared first on Kratikal Blogs.

The post What is CICRA Audit and Why It Matters? appeared first on Security Boulevard.

The post Deepfake Fraud, Data Brokers Tracking Military Personnel appeared first on Shared Security Podcast.

The post Deepfake Fraud, Data Brokers Tracking Military Personnel appeared first on Security Boulevard.

Surprisingly, many of these suspicious extensions are Chrome featured, a stamp of approval that many users, and often security teams, use as an indication of legitimacy and safety of browser extensions. While Google does its best to vet these technologies, there are over 100,000 active extensions on Chrome Store, making it impossible to keep track of all updates. On average, it takes 380 days for extensions with malware to be taken down from the Chrome Store.

Attackers exploit this fact by compromising or purchasing the rights to benign, popular extensions and turn them into malicious extensions, without users being aware of updates. One such case study is seen in the PDF Toolbox and Autoskip of YouTube malicious extensions uncovered by Palant. With 2 and 9 million downloads each, these seemingly benign extensions enter adware links into search bars against the user’s will.

This is just one way that extensions can exploit users. Five common browser extension based attacks include:

1. Data Exfiltration

Attackers can collect rich data on user behaviour, selling them to companies and targeted ad providers. More targeted attacks can involve using extensions as spyware to read confidential information such as intellectual property, emails and other sensitive information. For companies, such data breaches can lead to expensive class action lawsuits, damage to brand reputation and loss of competitive edge for IP-sensitive companies.

2. Credential stealing

Extensions can gain access to PII such as credit card numbers and social security numbers, as well as gain access to banking and social media accounts. More advanced attackers can even silently add a collaborator to a developer’s GitHub repo, taking their code repo as hostage for ransomware. Since the White House banned most ransom payments in 2023, this poses a huge dilemma when platforms and resources critical to business are being held up by ransomware.

3. Adware & misinformation spreading

Attackers often use extensions to redirect users to ad pages or embed ads into websites without the user knowing. This not only significantly impairs the user’s productivity and experience by slowing down the browser, but may lead to subsequent infection with spyware/ransomware. A similar technique can also be used to display fake search results and spread false information.

4. Cryptojacking

One of the simplest ways to steal cryptocurrency involves injecting the attacker’s wallet address into the recipient field just as the user hits the transfer button, redirecting any currency flow to the attacker’s account. This could lead to significant personal financial loss and reputational damage for crypto exchanges.

5. Malware spreading

Through extensions, attackers can initiate malware downloads without the user’s permission. Smarter attackers can even trigger these downloads when users are on trusted sites (e.g. Zoom, Salesforce) and mask them as software updates to minimise suspicion.

This got me curious about how easy it is to purchase the rights to a Chrome featured extension. Hence, posing as an EdTech founder, I approached the authors of several translation extensions to see if they were willing to sell their extensions to me. I focused on those that had not updated their extension in at least 12 months but had at least 10,000 downloads on Chrome store. It turns out, once a price is agreed upon, all it took was for the author to hand over the credentials to their Chrome account, which would give me completely free access to the extension’s code repo.

If getting access to extensions already installed on millions of devices was indeed as simple as a price negotiation, there is a huge dissonance with the risk management of browser extensions. Speaking to over a dozen security experts, it is evident that most security teams whitelist extensions once do not have an active monitoring strategy for browser extensions. Even if they do, whitelists are reviewed on a 1–3 year basis, with no way of knowing when a benign extension becomes malicious.

In this case, how can one protect oneself against malicious browser extensions? Here are a couple of best practices:

• Read, read, read — read reviews, especially negative ones, thoroughly. Do this even for Chrome featured and popular extensions. Index on more recent reviews.
• Check when the extension was last updated — generally, the longer a software goes without an update, the more likely it is unmanaged and vulnerable to attacks. While there is no magic number, I generally get nervous when installing extensions with no updates in more than 3–6 months.
• Chuck it — uninstall or disable extensions when you don’t need it. I know it is a bit of extra work, but generally the less on, the safer.
• Have runtime control — the best way to guarantee extension safety is to use a tool that automatically disables and/or alerts you whenever an extension turns malicious, is updated or goes too long without being updated (depending on your risk appetite).

The Hidden Dangers of Browser Extensions: Where Google’s MV3 Still Fall Short was originally published in SquareX Labs on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post The Hidden Dangers of Browser Extensions: Where Google’s MV3 Still Fall Short appeared first on Security Boulevard.

Further compounding this trend is the fact that phishing attacks are becoming more targeted and complex. According to data from APWG’s Phishing Activity Trends Report, the number of unique phishing sites detected surged by over 60% in the past two years. The game of cat and mouse that is cybersecurity is proving to be a losing game for enterprises as existing tools are unable to keep up with the evolving nature of phishing attacks.

With the lack of proper web security detection tools, organizations are often unaware of the quantum and mechanism of phishing attacks targeting their employees. In fact, it is in the attacker’s best interest to have their attack path remain undiscovered as long as possible, allowing them to exploit users for a longer time, holding more data and access hostage when a breach is finally detected. Worse, it is nearly impossible for organizations to trace back exactly how the attack happened retroactively with incumbent proxy tools, essentially allowing attackers to recycle the same attack using different identities/domains.

This article delineates the mechanics behind the 5 most common modern phishing attacks seen by both our researchers and in the wild with real organizations we work with.

1. Trusted domain attacks

Most enterprises block known malicious or suspicious domains using Secure Web Gateways (SWGs). Thus, attackers have identified several domains that would be whitelisted in almost all organizations and redirect users to phishing sites from there. These include file sharing sites (e.g. Sharepoint, Google Drive, One Drive, Box) and GitHub.

2. Captcha walls

In addition to whitelisting/blacklisting, some SWGs can automatically block domains with certain characteristics such as young domain age. However, even with the most advanced SWGs, this URL filtering does not work when there is a captcha, allowing attackers to hide phishing sites behind captchas.

3. URL masking & shortening

Many attackers leverage URL shortening services like Bitly and Twitter’s t.co, making it difficult for employees to tell if the link is malicious from the URL itself. For similar reasons to the Sharepoint based attacks, existing security tools cannot block these URLs as it will lead to many false positives from legitimate links.

4. GenAI spearphishing

One telltale sign that many employees relied on to identify phishing messages/ emails is the persistence of typos and odd grammatical errors. However, with GenAI tools at their disposal, attackers can now write high quality, highly targeted messages at a scale that is never seen before. A recent study from HBR showed that the cost of phishing attacks has now been slashed by 95%, and are seeing comparable success rates (60%) to phishing emails written by trained experts.

5. Browser in the Browser (BiTB) Attacks

This sophisticated phishing technique involves attackers creating a fake browser window within the actual browser to simulate legitimate third-party authentication pop-ups, such as those used for “Sign in with Google” or “Sign in with Facebook.” This deceptive overlay looks authentic and can trick users into entering their login credentials, giving attackers access to sensitive information. The fake window is indistinguishable from a real one at first glance, making it particularly effective and dangerous as users are led to believe they are interacting with a trusted source.

As phishing attacks continue to evolve in quantum and complexity, it is imperative for organizations to shift from having a reactive to a proactive defence strategy. In order to do so, security tools must also evolve to provide deep insight into exactly how users are being attacked, creating mechanism based policies instead of domain based policies that engage in a perpetual chase of finding and blocking phishing sites as they are discovered post-breach.

Phishing 2.0: Unmasking Modern Cyber Threats and Building Proactive Defences was originally published in SquareX Labs on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post Phishing 2.0: Unmasking Modern Cyber Threats and Building Proactive Defences appeared first on Security Boulevard.

1. Holiday-themed Phishing Scams

Have you received an email from a retailer with an offer that seems “too good to be true”? Adversaries often mimic trusted retailers, shipping companies and charities, luring in victims with limited time Black Friday/Christmas “deals” or urgent messages about undelivered packages.

A recent study by F5 labs showed that phishing increased by 150% between October and November. Attackers exploit the ironic combination of a relaxed holiday spirit and mad rush for Christmas shopping to trick users into revealing their credentials. One best practice is to hover over links before clicking on them, but as discussed in my article last week, attackers often use URL shorteners, making it difficult to tell if a site is malicious from the URL alone. Thus, it is important to use tools that can automatically block phishing sites for you, including advanced ones that cannot be detected through network requests alone.

2. Fake E-commerce Websites

Fraudulent websites often pop up during the holidays, offering massive discounts on popular products and/or offering free next day deliveries. These fake e-commerce sites are designed to either steal your payment information or send counterfeit goods, if they deliver anything at all.

With the proliferation of global commerce and startups, it can sometimes be hard to tell which of these new sites are legitimate. In addition to sticking to well known-retailers and avoiding deals that seem suspiciously cheap, there are some simple checks you can do to catch less sophisticated e-commerce scams. These include double checking URLs for misspellings/typosquatting and unusual domain extensions, checking the domain age, as well as looking at public forums for user reviews.

3. Malware via Holiday-themed Apps or Downloads

During the holidays, many people download festive apps, screensavers, or digital greeting cards. Some of these downloads, however, may come bundled with malware designed to spy on your activity, steal sensitive data, or lock your files for ransom. A seemingly harmless holiday-themed game might secretly install keylogging software on your device, capturing your passwords as you type them.

To avoid falling prey to such attacks, a simple best practice is to download apps and browser extensions only from trusted stores. Even with this precaution, there may still be many malicious apps/extensions that are not flagged by the official store (see my previous article on malicious Chrome featured extensions here). Thus, the best way to protect yourself is to have a browser native solution that can inspect and detect malicious extensions and downloads live.

4. Gift Card Scams

Gift cards are a popular holiday gift, and scammers take full advantage of their popularity. Scams can involve fake gift card websites, tampered gift cards in stores, or phishing emails pretending to offer free gift cards. A scammer might send an email claiming you’ve won a gift card, asking you to enter personal information to claim it. Another common tactic involves messages or social media posts containing a QR code that brings you to a fake login site.

Similarly, the best way to avoid this is to only purchase gift cards from trusted retailers, as well as have a browser native tool to help you detect any evasive sites mimicking login pages of legitimate retailers. QR codes are more challenging to handle as attackers know that most of our personal phones, which we will most likely be scanning these QR codes from, are completely unprotected. Thus, it is important that your browser security solution can also automatically check and block malicious QR codes from being scanned on your device.

5. Account Takeovers

Attackers often use the credentials they have harvested over the year or exploit weak or reused passwords, especially as people rush to create accounts for holiday shopping, to make unauthorized purchases during the holiday season. This is because it is especially difficult for banks and credit card providers to identify anomalous transactions during the months leading up to Christmas, as people frequently purchase gifts from multiple sites they may not regularly place orders from.

The best way to prevent this is to use a unique, strong password in every new site, perhaps using a password manager to help you keep track of everything. However, if you are like me and don’t trust yourself to be disciplined, a tool like SquareX can be that forcing function that prevents you from re-using passwords by blocking logins to sites that share the same password.

The holiday season is a time of joy and celebration, so don’t let cybercriminals ruin them for you. Now that you know about common holiday attacks, I hope that with the right precautions and tools in place, you can focus on the festivities and make lasting memories with your loved ones. Stay vigilant, stay secure, and have a happy holiday season! :)

Silent Hacks, Deadly Nights: Protect Yourself from Holiday Cyber Threats was originally published in SquareX Labs on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post Silent Hacks, Deadly Nights: Protect Yourself from Holiday Cyber Threats appeared first on Security Boulevard.

I was recently asked “What do intelligence reports
do?  They appear worthless!”

I found the question both funny and ironic.  Unfortunately, I had to gently deliver some uncomfortable
news.

There is a fundamental difference between intelligence
and the ability to apply it effectively to make better decisions.  Intelligence is the distillation and
organization of data that is analyzed and assessed to draw meaningful
conclusions.  These insights often
highlight risks and opportunities, serving as a foundation for better
decisions.

However, intelligence alone doesn’t guarantee action or
success.  It takes someone with knowledge
and experience to interpret these insights within a specific context, align
them with goals, and uncover actionable strategies to address potential risks or
opportunities. This process enables smarter decisions and often provides a
competitive edge advantage.

Simply put: “Intelligence is useless without the wisdom
to meaningfully apply it.”

In this case, the person dismissing threat intelligence as “worthless”
failed to understand how to use it. Intelligence reports don’t necessarily dictate
actions—they empower decision-makers with the information they need to act. The
value lies not in the report itself, but in the expertise to leverage it.

The post Is Cyber Threat Intelligence Worthless? appeared first on Security Boulevard.