Security Experts:

Browsers Net More Phish, But Targeted Attacks Swim Through

Browser Phishing Tests

Security testing firm NSS Labs has released the latest results from its web browser security comparative series, which this time evaluated the effectiveness of phishing protection from the most popular Web browsers – Apple’s Safari, Google Chrome, Microsoft Internet Explorer, and Mozilla’s Firefox.

During a 10-day test period, NSS Labs found that the average phishing URL catch rate ranged from 90% for Firefox 15 to 94% for Chrome 21. That number is a significant improvement from 2009 testing where the average block rate was 46%, NSS said. Additionally, the average time it took for tested web browsers to block a phishing URL improved to 4.87 hours versus 16.43 hours in tests done in 2009.

“These test results show that web browsers, an important first line of defense, have improved their ability to detect and block malicious phishing sites sufficiently promoted through fraudulent messages to be more quickly logged in reputation-based systems updating browsers' blocking features,” NSS Labs said in a statement.

The zero-hour block rates for the browsers tested against brand new malicious URLs ranged from Chrome 21 at 53.2 percent to Safari 5 at 79.2 percent, NSS said. Firefox 15 had the fastest average block time at 2.35 hours, while all other browsers ranged from 5.38 to 6.11 hours.

However, NSS Labs warned that while browsers' reputation-based defenses may be improving, targeted attacks still pose a significant threat.

“As a rule, [browser phishing defenses] offer less protection from more narrowly targeted phishing attacks, such as those aimed at government and financial services organizations and likely launched selectively in an effort to evade reputation system recognition,” the testing firm said.

Related: Incident Response - Are You Ready For a Phishing Attack?

In a report (PDF) released today by Trend Micro, the firm revealed that 91 percent of targeted attacks involved spear phishing, based on its analysis of targeted attack data collected between February and September of this year. According Trend’s report, 94 percent of targeted emails use malicious file attachments as the payload or infection source. The remaining 6 six percent use other methods such as installing malware through malicious links that trigger malicious downloads.

Phishing AttacksThe most highly targeted industries are government and activist groups, Trend said. The reason? Trend believes it’s the extensive information about government agencies and officials easily found online that makes them visible targets.

“Sophisticated spear phishing campaigns continue to be highly problematic to defend against,” said Randy Abrams, Research Director at NSS Labs. “It is important that developers harden browsers to block not only phishing attacks, but also other threats, such as socially engineered malware and drive-by downloads as these remain popular and effective attack vectors for cybercriminals."

Web browsers are not only getting better at blocking phishing attacks faster, but phishing sites themselves are seeing a decreased lifespan, according to recent report from the Anti-Phishing Working Group (APWG). According to the APWG’s Global Phishing Survey: Trends and Domain Name Use in 1H2012, the average uptime of phishing attacks dropped to a record low of 23 hours and 10 minutes in the first half of 2012. This number, the APWG says, is about half of what it was in late 2011.

With a decreased lifespan, attackers need to find ways to generate new phishing URLs faster. In order to do that, cybercriminals are increasingly using hacked web servers that host legitimate websites on reputable domains to host their phishing websites.

"Phishers seem to be concentrating their efforts on compromising legitimate websites using automated attack tools, or purchasing access to them on the burgeoning underground market," Rod Rasmussen, SecurityWeek columnist and CTO of Internet Identity, said in a recent statement. "This allows them to leverage the good reputation of a website's domain name, making it harder to block in either spam filters or via suspension, and makes takedown of that domain impractical."

"The availability of cheap and disposable domains allow criminals to rapidly change the location of phishing sites. The result is that even a site that is live for only a few hours can evade detection and ensnare enough unwary consumers to be a profitable criminal endeavor,” NSS’ Abrams explained.

“While all browsers average above a 90% block rate for phishing, end-users and enterprises should also take protection against other threats -- such as malware and drive-by downloads -- into consideration when selecting a browser,” NSS warned.

In NSS' tests, all the browsers blocked over 83% of the phishing URLs used in testing by end of day one, but it took 3 - 5 days for each to reach its maximum block rate.

Related: Why Phishing Works And How To Avoid Becoming a Victim

Subscribe to the SecurityWeek Email Briefing
view counter
view counter