Remote browser isolation could be your secret superpower against phishing

Email can be a double-edged sword. It is one of the most important tools for business communication, and at the same time, it is the number one threat vector for cybercriminals. Fishing Emails are the Achilles heel of most organizations’ security defenses.

Despite many advancements and improvements in security tools over the years, email remains a very effective way for attackers to deliver malicious payloads. more than 90% According to the US Cybersecurity and Infrastructure Security Agency (CISA), successful cyberattacks start with phishing emails.

The Psychology of Phishing

Attackers trick people into opening up a cascade of negative consequences with that single click. Verizon said in a recent statement 2022 Data Breach Investigation Report 82% of breaches result from human error or misjudgment.

Humans are practically hard-wired to fall for carefully crafted deceptions. We rely on mental shortcuts called heuristics to help us move through life efficiently. Psychologist Robert CialtiniAuthor of the acclaimed book influence, identified seven psychological theories of influence that attackers often use in phishing scams. For example, when people are uncertain about something, they look to an external authority to reduce their uncertainty and sense of ambiguity.

A recent tactic for fraudsters is to use these principles of social proof and authority to gain the reputation of legitimate services and platforms such as Amazon Web Services (AWS). It gets users to click on links that can bypass email security tools’ reputation checks.

A recipe for disaster

Let’s see how it works. First, an attacker hacks a business account. The attacker then sends Fishing Email users, encouraging them to download a fake “Proof of Payment” file. The file will be hosted by a combination of reputable or somewhat reputable but genuine hosting providers, including file transfer services and collaboration sites or calendar organizers. This is how an attacker circumvents email security tools.

An example of this approach appeared in 2019 in the form of a threat strain called Lampion. It used the free file transfer service “WeTransfer” to target Spanish- and Portuguese-speaking populations.

Once the user clicks on that rule in the fake file, a ZIP package containing a Virtual Basic Script (VBS) is installed and executed on their device. When the Wscript process starts, malicious payloads are deposited and discreetly run in the background before searching for and extracting data from the user’s computer. The final blow is when the Trojan mimics a login form on a bank login page, so that when a user pretends to be their bank login page, the fake form sends credentials directly to the hacker. Since the breach occurs on the victim’s own device, this type of malware is more challenging for security teams to detect.

Remote browser isolation for recovery

A great way to combat these tactics is to apply Remote browser isolation (RBI) to protect the device from malicious payloads, cookies and content. RBI isolates dangerous and malicious web page requests so that only the visual stream of pixels representing the pages is shown to the user. If the administrator allows, the user can interact with the site as usual, but the contents will not actually be downloaded to the device.

Security groups can adapt RBI to suit their needs. They can create custom lists of risky reputation types such as file sharing, Peer2Peer and gambling sites. They can protect against specific URL types, IP addresses and domains. They can still provide functionality such as uploads, downloads and clipboard usage, or block them entirely.

The bottom line is that with the RBI, security teams are no longer at the mercy of reputation or binary allow/deny policies to spot wolves in sheep’s clothing. Even as newer, more sophisticated variants are released, security teams can ensure their systems are protected in the unfortunate event that a victim clicks on a malicious phishing email link.

Rodman Ramezanian serves on the global cloud threat front Skyhigh security.