Browser-based phishing attacks up 140 percent

New research from Menlo Security, based on analysis of more than 750,000 browser-based phishing attacks, shows a startling 140 percent increase compared to 2023, and a 130 percent increase specifically in zero-hour phishing attacks.

Microsoft, Facebook, and Netflix are the brands most commonly impersonated in browser-based phishing attempts. However, generative AI services are also increasingly impersonated with nearly 600 incidents of GenAI fraud identified, in which imposter sites used GenAI platform names to manipulate and exploit unsuspecting victims.

"Interestingly, the majority of GenAI fraud was not for the purpose of credential theft," says Andrew Harding, VP of security strategy at Menlo Security. "Instead, these impersonation sites attempted to trick people into entering highly personal information. These fake GenAI platforms promise to generate a résumé or similarly personal document. In addition to cybercriminals stealing sensitive and personal information, the returned document is typically a PDF, where malware can hide out and be delivered. In the past year, Menlo Security successfully thwarted hundreds of incidents of such GenAI fraud."

Among other findings cybercriminals created nearly a million new phishing sites each month, which represents a 700 percent increase since 2020. Nearly 51 percent of browser-based phishing attempts involved some form of brand impersonation, while 75 percent of phishing links are hosted on good, trusted websites, with up to six days as the average window of exposure before legacy security tools begin blocking pages from zero-hour phishing attacks. Phishing attacks hosted on subdomain providers also increased by 51 percent, representing 24 percent of all phishing attacks.

"Threat actors have advanced in speed and skills. They are using the same tools and infrastructure as professional engineers," adds Harding. "We're seeing a dangerous combination of zero-day attacks, advanced social engineering techniques, sophisticated phishing techniques, and readily-available phishing-as-a-service kits, all designed to infiltrate systems and steal valuable data. Our research has revealed a stark reality: One in five attacks in 2024 displayed some form of evasive technique designed to evade traditional network and endpoint-based security controls. This trend is only poised to escalate dramatically in 2025 as attackers adopt AI to increase both scale and effectiveness. Organizations must prioritize browser security to detect and stop such attacks."

You can read more on the Menlo blog.

Image credit: Josepalbert13/Dreamstime.com