Menlo Security Cloud Security Platform is FedRAMP® Authorized
Traditional security approaches are flawed, costly, and overwhelming for security teams. Menlo Security is different. It’s the simplest, most definitive way to secure work—making online threats irrelevant to your users and your business.
Our platform invisibly protects users wherever they go online. So threats are history and the alert storm is over.
Traditional network security wasn’t built to address today’s complex enterprise environments. SASE fixes that problem.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise. The collective is made up of elite security researchers that put a spotlight on the threats you know and don’t know about.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise.
Neko Papez | Jul 11, 2023
Share this article
Whether it’s the push for fully remote work, in-office work, or a hybrid workstyle, the conversation around how and where employees will work continues. But guess what? To cybercriminals, this conversation doesn’t really matter. Not one bit. That’s because no matter where today’s enterprise worker resides and where the work is happening geographically, it’s happening digitally within a web browser. Today, the web browser is the go-to tool to get work done. It’s transformed how we communicate, work, and entertain ourselves. Its significance is undeniable.
The significance of the browser is, likewise, undeniable to attackers. And they are employing evasive techniques when attacking enterprise systems and data via social engineering and vulnerabilities found within web browsers. We’ve recently covered some methods, including HTML smuggling, malicious password-protected files, and MFA bypass attacks. Yet, these aren’t the only evasive attack techniques the Menlo Labs research team has been tracking.
Another such attack is what’s known as legacy URL reputation evasion (LURE) attack. LURE attacks are designed to – and successfully do – bypass web filters used to defend enterprise users from visiting malicious or compromised websites. They work primarily based on rating a website’s reputation and blocking users from reaching sites with a bad one. Attackers are now gaming this system to their advantage. LURE attacks are on the rise. Based on an analysis of Menlo customer data by the Menlo Labs research team, there has been a 70% increase from July 2021 to July 2022.
LURE attacks are used by threat actors to evade web filters that attempt to categorize domains based on trust. By successfully infiltrating trusted websites with malware, attackers can effectively evade URL filtering security defenses. The threat actors, in turn, use the malware-infected websites to compromise endpoints and snatch user credentials.
For more targeted attacks, threat actors may even go as far as to build new websites and leave those sites to operate on the web benignly so that they gain a good reputation over time. Eventually, they’ll flip the behavior of these websites to launch their attack campaigns and take URL categorization engines by surprise. They’ll also lure victims to these sites through spear-phishing emails.
Attackers also flip the use of traditionally defensive measures, such as CAPTCHAS, to improve their chances of success. While CAPTCHAS were developed to help authenticate human users from API bots, threat actors now use this technology to block web categorization crawlers and hide their true site nature from such categorization crawlers.
These different LURE examples can be used to publish phishing pages, execute browser exploits, and deliver malicious files to user endpoints.
Because LURE attacks evade traditional web filters by quickly flipping benign and trusted websites to malicious websites, these attacks tend to compromise a large pool of unsuspecting users swiftly. While web and DNS filters efficiently block already known malicious websites, the categorization engines and deny lists within these technologies don’t work swiftly enough to block the initial waves of LURE attacks.
These URL filters — traditionally the first line of defense — when attempting to determine if a site is good or bad based on the reputation of the URL have been effective for more than two decades. Unfortunately, attackers have learned their way around these defenses. But these defenses were designed for a time when criminals would create a malicious website, host malware on it, and then do their best to drive traffic to that site. Once the nature of the website was determined, URL filters would stop these attacks by blocking those URLs.
Threat actors have evolved their techniques through evasive LURE attacks to become more effective than these filters. And they’re not done refining their LUREs. They continue to create their supply of websites with good reputations that they will eventually flip into sites that will launch effective LURE attack campaigns.
For these reasons, we categorize LURE attacks as Highly Evasive Adaptive Threats (HEAT).
HEAT attacks have grown in popularity among threat actors with the rise of cloud services and software-as-a-service applications. Cloud services, accessed by a web browser because of their very nature, make the browser the ideal target for digital attacks. And since traditional security tools were designed to defend applications installed on endpoints and traffic that flows across local networks, they are less than effective when protecting data and connections within the browser.
According to Palo Alto Networks, 90% of phishing kits use evasive techniques that render traditional web security useless.
There are numerous recent examples of LURE-style HEAT attacks occurring. Earlier this year, news broke of an “aggressive threat actor” targeting the finance and healthcare industries with SEO poisoning tactics and malware known as “Gootloader.”
“The actors create websites or populate web forums or similar websites with specific keywords and links, leading to a website hosting the infected file,” SC Magazine quoted researchers as stating.
In another recent attack, the tech news site BleepingComputer provided an analysis of a phishing campaign that utilized malicious Google ads to place phishing site results in Google search results. The attackers targeted Amazon Web Services (AWS) login credentials.
Thanks to effective SEO, the malicious ads ranked second when searching “AWS.” Users were directed to a blogger’s website when they clicked on one of the malicious ads. In this LURE attack, the websites hosted what appeared to be an authentic AWS login page.
Similarly, notorious groups such as the North Korean state actor Lazarus Group have been seen to use LURE attacks. There has also been the VIPER spear-phishing campaign, the Qakbot campaign, and other nation-state threat actors using LURE-style attacks.
These attacks are becoming pervasive, with 50% of HEAT attacks emanating from categorized websites out of more than 5 million malicious URLs analyzed by Menlo Labs.
Also, with browser isolation technologies used to analyze browser activity and determine malicious intent, a dynamic security policy can be invoked to prevent the threat from reaching the end user’s browser. Document-specific security policies can also be applied to HEAT downloads (viewed or downloaded in an isolated mode that protects the end user from risks.)
Enterprise security teams must understand how to defend their users, systems, and data from HEAT attacks such as LURE. Because whether the workforce works remotely, on-site, or a little bit of both, it doesn’t matter to attackers — they’re going to target where workers are always doing their work: and that’s their web browsers.
Posted by Neko Papez on Jul 11, 2023
Tagged with Awareness, Blog, Browser Security, HEAT, Threat Trends, Web Security
Threat Trends & Research
To talk to a Menlo Security expert, complete the form, or call us at (650) 695-0695.