Browsers have become an attractive target for cybercriminals

Browser-based cyberattacks

Some prevalent cyberattacks that target browsers or are facilitated by browsers:

Phishing and spear phishing

Hackers send a malicious email from a trusted source, which makes a user think it’s safe to view.

This email will either contain a malicious link or an attachment; clicking either of these often triggers a script that allows a hacker to have complete access to the user’s system. Once the hacker has access, they’ll search for personal information like social security numbers, credit or debit card details, bank account information, and passwords, as well as business-critical information.

With access to the system, the hacker can also deploy additional malware that spreads to other systems in a network or erases data.


These attacks can occur by a hacker deploying a simple trojan into a browser using existing vulnerabilities in browsers, extensions, or plug-ins. For example, by installing a malicious extension that contains a trojan on a user’s browser, any sensitive information—like passwords, credit or debit card details, social security numbers, and business-sensitive documents—can be tracked and the data can be either stolen or accessed remotely using this extension and its trojan capabilities.

Man-in-the-browser (MITB) attacks are complicated, difficult to identify, and demonstrate how browser security is key for data security.

Browsers falling victim to MITB attacks can also open a gateway to more hazardous trojans like Zeus, Shamoon, Zberp, KinS, and Triton.

Drive-by download

Cybercriminals look for vulnerable websites and try to deploy malicious scirpts into them. Depending on the attack, when a user visits a website containing a malicious script, that user may either directly trigger the malware, or the user will be directed to another, more malicious webpage that’s able to breach their computer.
Drive-by downloads attacks are difficult to identify as they require no action from the user, such as opening an attachment. Drive-by attacks can occur by exploiting OS vulnerabilities, browser vulnerabilities, or outdated extensions. Reinforced browser security is the key to combatting drive-by attacks.

Cross-site scripting (XSS)

These attacks are similar to drive-by attacks, but this is when a hacker uploads a payload to a JavaScript-vulnerable website. The payload will modify or replace the existing Javascript with malicious script that can steal browser cookies. When a user visits this website, they trigger the payload, which sends the user’s cookies to the hacker. With the cookies, the hacker can gain access to the user’s sensitive information and even perform session hijacking.


Adware is a type of malware that appears on browsers for marketing purposes. Adware typically replaces ads a user would
normally see with specific ads, and will replace the user’s default search engine with one of the attacker’s choosing.

Hackers benefit from adware because it generates traffic for websites that users wouldn’t normally visit.

Fireball, adware that caused chaos to businesses in 2017, is one good example of this type of threat. Extensions from untrusted sources are a common gateway for adware. Properly scrutinizing which extensions are installed can help prevent adware.



Cryptojacking is when the processing power in a target’s device is hijacked to mine cryptocurrency.

This process generates passive revenue for the hacker, usually without the victim even being aware that they’re infected.

For example, the British and Canadian governments became victims of cryptojacking when hackers exploited text-to-speech software embedded in their official websites. Attackers injected a script into the website to mine Monero through visitors’ browsers. Sometimes cryptojacking malware can also divert the stolen processing power to efforts outside of mining cryptocurrencies.

Steganographic payloads

Digital steganography is the practice of concealing files or messages in a file that wouldn’t normally contain a message. For
example, an innocuous image can be used as the cover file, but the file contains a ZIP file that automatically extracts itself once the image is opened.

Steganography hides the fact that a malitious script is being communicated, meaning detecting a embeded part in the file is difficult.

In the above example, inspecting the image’s file properties would not reveal that it contains a ZIP file.

The famous Zeus banking trojan targeted banking and financial organizations is developed based on steganographical payload embedding methodologies. Zeus is difficult to detect, even with up-to-date anti-virus software, and as a result, created the largest botnet on the internet. The highlight of the Zeus trojan was that it was deployed using a MITB attack.

The picture is modified via 


The complexity and difuculties. Browsers are often dependent on various plug-ins and extensions to render their full functionalities. In other words, browsers provide an ecosystem where multiple components coexist to achieve a common goal.

Each browser has a separate ecosystem and satisfies different use cases. Due to the variance of each browser’s functionalities and add-ons, pinpointing which browser component was used to infiltrate malware in an organization can be difficult. To find a threat origin CERT needs visibility into the all IT assets in their organization.

A set of tools related to Mozilla security and remore site serity can be found at



Battling browser-based threats head-on

Best practices for maintaining browser security