In order to keep computers and personal/business data safe from phishing attempts, many do such basic things as install antivirus software or a spam filter. However, many more forget to secure one of the most vulnerable applications on their system: the web browser.

Perhaps they think the browser is already secure enough or they simply don’t know how to protect themselves. It is with this in mind we present this article.

Common Web Browser Security Issues

The Internet can be both a wonderful and treacherous place and the web browser is essentially your front door to it all. Among the biggest lurking dangers are websites that contain or deliver malware that can infect and/or control computers. Merely visiting these sites can be trouble. But how do they get you there? One of the most popular ways is thru spoofing – luring the user to a site that appears to be a legitimate entity (like a bank or ecommerce site) but is really just a cleverly designed front.

Spoofed sites are often used in conjunction with a phishing email. Sometimes the URL looks similar enough to fool people into believing it’s the real deal. A popular spoofing tactic is to use Cyrillic characters that look similar to English letters – for example this URL: appІe.com. It looks like it is real, but the “І” is really from the Eastern European/Asian alphabet. Some browsers catch this switcheroo (Safari and Edge) but some don’t (Chrome and Firefox).

Another huge vulnerability is JavaScript. This code is very popular and handy for things like playing games or watching videos but, in the wrong hands, it can deliver malicious payloads and take over browsers, steal data, and even turn on the camera or microphone. While many are moving away from JavaScript to HTML5 (which has its own security issues) it’s still a very common platform, especially for older computers and browsers.

A third major area of concern is third-party apps, sometimes called extensions or add-ons. These tools can offer additional productivity (like screenshots or spell checks) but they often have access to a lot of your personal data that they don’t really need. Some apps are built to be malicious, while others can be taken over.

Even developers can fall for hacker tricks. In August 2017, the creator of the popular Web Developer app for Chrome was fooled by a phishing scam; the crooks then uploaded their own version of the app, which was downloaded to a million computers.

Security Awareness

10 Tips to Keep Your Browser More Secure

Now that you know some of the major vulnerabilities in the web browser, here is a list of 10 key things you can do to increase your security.

  1. Make sure your browser receives automatic security updates (this is the default for Firefox and Chrome). If you are using the latest Safari or Microsoft browsers, those are updated along with the OS, so it’s important to turn on automatic updates for the entire system or at least make sure they are updated immediately.
  2. Block pop-up ads with an app such as Adblock Plus. These ads are not only annoying but, if the use JavaScript, they can possibly infect your computer. (Still, it’s important to support websites you use regularly that rely on advertising, so you can toggle it off at will.)
  3. Do NOT let your browser store your passwords. Use a password manager such as LastPass or, for extra security, write down and keep in a locked drawer. While password managers are also not infallible, most experts believe they increase overall security.
  4. Clear cookies. Everybody loves cookies, including criminals. While you may have to give access to first-party cookies to visit your favorite sites, some browsers allow you to disable third-party cookies. At the very least, regularly clean your cookies and cache.
  5. Always double-check the URL. Make sure you are visiting the site you intended to go to, especially if you are clicking a link from an email or other message. Most large legit sites now use SSL connections, which are more secure and can be identified by the “https” and the padlock icon in the URL window.
  6. Use the hover test. Sometimes phishing links say one thing but take you somewhere else. Before even clicking, place your mouse over the link, which will then display the actual URL.
  7. Listen to your browser. If a site has been blacklisted or there is some other threat, your browser will sometimes display a warning message. Don’t go against the recommendation; return to safety.
  8. Disable automatic downloads. Some nefarious sites use a tactic called “drive-by phishing,” which installs malware on your computer as a background task. If automatic downloads are disabled, you will be notified if this is happening.
  9. Disable Silverlight, Flash and Java. These plugins are from a bygone era. However, some sites do use them (and Chrome recommends you keep them on). However, if you are really worried about security, you can enable only for specific sites.
  10. Think. Always be on the lookout for suspicious emails, social messages, or texts. If you spot something at work, notify IT or a supervisor immediately.

These points are a good starting point for securing your browser. For deeper information, do an online search for security by typing in your browser’s name.

References

https://www.theguardian.com/technology/2017/apr/19/phishing-url-trick-hackers

https://www.acunetix.com/websitesecurity/cross-site-scripting/

https://www.howtogeek.com/188346/why-browser-extensions-can-be-dangerous-and-how-to-protect-yourself/

https://www.techlicious.com/tip/make-browser-more-secure-disabling-plugins-silverlight-flash-java/

https://us.norton.com/Internetsecurity-malware-what-are-browser-hijackers.html?aid=web_browser_security

Be Safe

Section Guide

Stephen
Moramarco

View more articles from Stephen

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Stephen
Moramarco

View more articles from Stephen