Web Browser-Based Attacks: How to Protect the End Users


Over recent years we have seen a huge increase in web-browser-based attacks and as per an article published by Morphisec almost 3.2 million dollars a year is spent by companies just to rectify these.

What makes these attacks lethal:

There are various factors that contribute towards it:

  • Most of the users are not aware of secure usage of internet
  • Presence of browsers in wide range of systems
  • Increased use of APIs which run on browser
  • Lack in understanding of internet usage pattern for team (Like sales, programming e.t.c)
  • Support of multiple apps by browser (ActiveX,JavaApplet,pdf,e.t.c)
  • Wide range of attacks using web-browser
  • Browser extensions which behave as downloaders

What are the common attacks:

Drive-by Downloads: The most common type of attack which uses the browser as a threat vector. There are 3 days in which this is commonly done.

  • A person visits a malicious website and without him knowing the file is it downloaded into his system.
  • The other way the same attack is accomplished is when a user clicks on a link without him understand what the click might do.
  • When a user clicks on a phishing link received via email
  • As you can see all the methods of accomplishing this attack are via “Social Engineering” (where a human’s tendency to make mistake is exploited) , MITRE ATTC&K Techniques: T1189.

Also Read: Cooking Malicious Powershell Obfuscated Commands with CyberChef

Browser redirection: A user accesses a URL however it automatically shows another URL which victim does not know. This is a social-engineering-based attack where the user might receive a phishing mail, MITRE ATTC&K Techniques: T1185.

Bugs and vulnerability in browser: Considering that web-browsers are extremely complex software there are lots of vulnerabilities that have been detected in them. Over the past several years, we have seen a fair number of vulnerabilities. Below is a snapshot from vuldb. MITRE ATTC&K Techniques: T1185.

Clickjacking attack: In this type of attack a victim clicks on a link thinking it will open a new page/download a song etc however it turns a code is executed without the user’s knowledge thus a threat gets downloaded without the user knowing it.MITRE ATTC&K Techniques: T1555.003

Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes

Man In the Browser Attack: In this attack, the attacker installs malware in the victim’s machine which infects the internet web browser. Now every activity performed by the victim is shared with the attacker (in simple terms Infostealer). When the victim tries to access sensitive data then the same is relayed to the attacker. MITRE ATTC&K Techniques: T1555.003.

Adware: Adware is a type of threat that can do either of the 2 things:

  • Get installed as Browser plugin
  • As a software in the system
    However its major aim is to collect information about the user’s behaviour and provide him selective advertisements. As such Adware is not a major threat (many security vendors even do not consider them to be a serious threat) however considering that many of these are not widely known an attacker can use this to perform any of the threats mentioned earlier (Those are red-alert threats). MITRE ATTC&K Techniques: T1176, T1189, T1217

Also Read: Threat Hunting Using Windows Scheduled task

Browser-based Cryptomining: Cryptomining is an activity of verifying encrypted Cryptocurrency transactions. The activity is a part of Blockchain technology. On each successful verification, the miner receives a token amount. Considering multiple levels of encryption involved this is a huge resource-intensive process. When a victim by mistake clicks on a link that is linked to the attacker’s machine a javascript is embedded in the victim’s browser. Now the javascript uses the victim’s system resources to perform the same task. Hence the victim might see the reduced performance while using web-browser. Like Adware crypto mining is not a major threat however following points give them merit for monitoring.

  • Many a times even after closing the website user visited they keep running till browser is closed.
  • Most of them create persistence.

Prevention techniques:

Also Read: Splunk Architecture: Forwarder, Indexer, And Search Head

  • In commonly used browsers like Chrome, Microsoft Edge, Internet explorer, firefox you have popup-blocker. Ensure that it is turned on by default. This will add a check where user will need to allow popup for the site
  • Enabling GPO policies to restrict “Automatic” functionalities. e.g: for Chrome we can find GPO templates in
    https://support.google.com/chrome/a/answer/187202?hl=en#zippy=%2Cwindows. Using this various features associated with chrome can be controlled.
  • Restrict usage of browsers to Chrome or Edge in enterprise to implement better controls.
  • Usage of tools like McAfee web-advisor can detect provide suggestions while accessing website hence providing better security. The same can be accomplished using almost all endpoint security tools (commonly known as Brower Intrusion Prevention System).https://www.mcafee.com/en-us/safe-browser/mcafee-webadvisor.html
  • Hardening of policies in proxy to ensure only those websites which are good will be accessed in the environment.

Log Sources to detect these threats:

Considering that web-browsers are applications not much is known about the security logs stored however following tools can be used for indirect checks:

  • Proxy logs: Considering that most of the proxies are embedded to browsers as PAC file they will be able to track almost all traffic. Attacks like clickjacking and browser redirection can be detected using “Referer URL”

Also Read: Latest Cyber Security News – Hacker News !

  • Firewall: Due to priciness of proxy most of the organizations prefer to use proxy for external purpose while internal machines still send traffic through firewall directly to internet. A layer 7 firewall can detect almost all traffic (if SSL inspection is enabled then its even better). However unlike proxy this needs a bit more work and analysis to be done.
  • EDR tool: Endpoint Detection and Response is a tool which can monitor all applications in environment and based on anomaly they can throw alert. An open source EDR like open EDR by comodo and Wazuh can help.

Source/Credits/Written By: https://www.linkedin.com/in/vasudev-c/

Previous articleBest Practices For Active Directory Security
Next articleBest Practices For Remote Access Security
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.


Please enter your comment!
Please enter your name here