Cyren : Think Browsers Protect You From Phishing Attacks?

Can you trust your browser to protect you from phishing? We tackled that question in research for our special report on phishing, with the results below.

Everyone has their preferred browser-Internet Explorer (IE), Firefox, Chrome, and a few other lesser known browser applications that employees use to surf the web. Unfortunately, for the vast majority of small businesses, the browser application is the only source of protection available, since many SMBs do not use web security solutions to prevent users accessing dangerous links.

A typical warning from a Microsoft Internet Explorer browser

While browser security certainly provides some minimum protection for business users, it is, nevertheless, a secondary feature, and therefore has limitations in terms of the browser's ability to recognize and block a phishing site, and then post warnings for users.

To gauge the effectiveness of browser-based phishing protection, we compared the time between detection by Cyren (the 'zero-hour') and the appearance of a warning message in the browsers used by most organizations. The browsers analyzed were Microsoft Internet Explorer (IE) 11, Microsoft Edge, Mozilla FireFox, and Google Chrome.

Since many phishing sites examined stayed live for at least 48 hours, we monitored all sites for at least two days. Based on Cyren's analysis, Google Chrome and Firefox did the best job detecting and blocking known phishing sites with Chrome blocking 74% of phishing sites within 6 hours and 20 minutes on average. The remaining 26% were not detected by the time they went offline.

Microsoft's SmartScreen Filter analyzes pages users visit and determines if the page might be suspicious

Notably, the Microsoft browsers were too slow in flagging malicious sites and often these sites were already offline before any notification could warn users. However, in spite of having a low detection rate, Microsoft does get an honorable mention for its 'SmartScreen Filter' which popped up warnings after detecting a suspicious looking page hidden inside a different site-before the site had been confirmed as a phishing site. In the example below, a 'Google Docs' page hides in a hacked travel website, which the Microsoft Smartscreen Filter flags with a warning. While not a full warning it does give users pause and will likely result in the user not falling victim to the phishing site.

The TakeAway: Don't Rely on Browsers for Security

Ultimately, while Chrome appears to be the most reactive browser in terms of blocking phishing, demonstrating a 75% detection rate, it is important to not rely on browsers as the sole source of internet cybersecurity. In fact, there is a basic flaw in the concept of 'secure browsing', known as 'click-through syndrome' related directly to how users interact with website content.

The security model for browsers includes a variety of participants, from programmers, regulators, vendors, content mangers, and the users. These participants may not communicate on a standard security model; so, while the Internet Engineering Task Force (IETF) might codify security protocol, the protocol may never be adopted by individual user interface (UI) groups. The web server vendors may also never update the Server Name Indication (TLS/SNI), creating inconsistency in how browsers interpret website information. As an example, it isn't unheard of for a browser to flag a website as dangerous, when in fact the website has simply been misconfigured. In addition, because today's internet users are inundated with messages and pop-up boxes, users have been conditioned to bypass the content on these boxes by ignoring the message all together, and simply clicking the box close. In the end, legitimate warnings fail because users are so inundated with either mistaken warnings or constant pop-up boxes, that when browsers do catch real phishing sites, users simply ignore the warnings.

The only way to combat click-through syndrome and protect users from phishing is by supplementing corporate security with web security technology.

Want to learn more about cloud-based email & web security? Contact us here!