Remote browser isolation can be your secret anti-phishing superpower

View all on-demand sessions from the Intelligent Security Summit here.

Email can be a double-edged sword. It is one of the most essential business communication tools and at the same time the most important threat vector for cybercriminals. Phishing emails are the Achilles’ heel of most organizations’ security.

Despite the many advancements and improvements in security tools over the years, email remains the most effective way for attackers to deliver malicious payloads. More than 90% of successful cyberattacks begin with a phishing email, according to the US Cybersecurity and Infrastructure Security Agency (CISA).

The psychology of phishing

Attackers exploit people’s unconscious biases to trick them into making that one click that opens the door to a cascade of negative consequences. Verizon recently reported in its Research report on data breaches 2022 that 82% of breaches are due to human error or misjudgment.

Humans are practically wired to fall for carefully crafted trickery. We rely on mental shortcuts, known as heuristics, to help us move through life efficiently. Psychologist Robert Cialdiniauthor of the critically acclaimed book Influence, identified seven psychological influence principles commonly used by attackers in phishing scams. For example, when people are unsure about something, they look to outside authorities to reduce their uncertainty and sense of ambiguity.


Intelligent Security Summit on demand

Learn the critical role of AI and ML in cybersecurity and industry-specific case studies. Check out on-demand sessions today.

Look here

The latest trick for scammers is to use these very principles of social proof and authority to leverage the reputation of legitimate services and platforms, such as Amazon Web Services (AWS). As a result, users click on links that can also bypass email security tool reputation checks.

A recipe for disaster

Let’s see how this works. First, an attacker hacks into a business account. The attacker then sends a phishing email to users, encouraging them to download a fake ‘Receipt’ file. The file is hosted by reputable or somewhat reputable but genuine hosting providers, file transfer services, and collaboration platforms, or a combination, including calendar organizers. In this way, the attacker bypasses email security tools.

An example of this approach appeared in 2019 in the form of a threat species known as Lampion. It used the free file transfer service “WeTransfer” to target Spanish and Portuguese speaking demographics.

Once the user makes that fateful click on the mock file, a ZIP package containing a Virtual Basic Script (VBS) is installed and executed on their device. As the Wscript process starts, malicious payloads are deposited and run discreetly in the background before beginning to search for and exfiltrate data from the user’s system. The final straw is when a trojan mimics a login form through a bank login page, so that when a user enters their credentials on what appears to be their bank’s login page, the fake form sends the credentials directly to the hacker. Because this breach takes place on a victim’s own device, this type of malware is extremely difficult for security teams to detect.

External browser isolation comes to the rescue

An effective way to combat these tactics is to apply Remote Browser Isolation (RBI) to protect the device from malicious payloads, cookies, and content. The RBI isolates risky and malicious web page requests so that only a visual stream of pixels representing the pages is presented to the user. The user can still interact with the site as usual if the administrator allows it, but the content is never actually downloaded to the device.

Security teams can tailor RBI to their needs. They can create custom lists of risky reputation categories such as file sharing sites, Peer2Peer, and gambling sites. They can shield themselves from specific URL categories, IP addresses and domains. They may still provide features such as uploads, downloads, and clipboard usage, or they may block them completely.

The bottom line is that with RBI, security teams are no longer dependent on the vagary of reputation checks or binary allow/deny policies to spot the wolf in sheep’s clothing. Even as newer, more sophisticated variants are released, security teams can rest assured that their systems are protected in the unfortunate event that a victim clicks on a malicious phishing email link.

Rodman Ramezanian serves as global cloud threat lead at Sky-high security.

Data decision makers

Welcome to the VentureBeat community!

DataDecisionMakers is where experts, including the technical people who do data work, can share data-related insights and innovation.

To read about advanced ideas and up-to-date information, best practices and the future of data and data technology, join DataDecisionMakers.

You might even consider contributing an article yourself!

Read more from DataDecisionMakers