Many employees rely on their web browser’s auto-fill feature to make day-to-day Internet tasks easier and more convenient. From Safari and Firefox to Google Chrome and Microsoft Edge, modern Internet browsers all seek to save users time by using previously entered information to automatically populate login boxes and form fields. However, precisely because auto-fill is as ubiquitous as it is, hackers have developed a way to utilize your employees’ reliance on auto-fill in a new form of phishing attack that could put your business’ critical secure data at risk.
The potential to use a browser’s auto-fill feature in phishing attacks was first revealed by Finnish web developer Viljami Kuosmanen. Speaking with technical support site Bleeping Computer last month, Kuosmanen noted that he “had known about this issue for a long time” and had decided to investigate further to demonstrate the extent of the risk.
Essentially, a user can become vulnerable to a phishing attack utilizing their browser’s auto-fill feature upon being directed to an illicit website with invisible form fields. For example, this user could be attempting to unsubscribe from what looks to be a regular spam e-mail. Upon clicking on the “unsubscribe” link in the e-mail, the user is directed to a normal-looking website with fields to enter their name and e-mail address to remove themselves from the spam e-mail list. What the user doesn’t see are the hidden form fields on the page designed to steal their personal or business information. By entering in their name and e-mail address, the user will trigger their browser’s auto-fill feature to fill in the hidden fields, which could include sensitive business information such as account numbers or credit card numbers.
Kuosmanen created a mock website to demonstrate the extent of the risk of auto-fill being used for phishing attacks; this site actually showed how easy it was for a hacker to deceive users into sharing stored data. In his research, Kuosmanen says that he was surprised by how much information the Google Chrome browser he was using had saved for auto-fill.
Given how pervasive auto-fill is, how can you help your employees avoid falling victim to this phishing scheme? Luckily, the solution is fairly straightforward. If your company’s computers use a browser that automatically enables auto-fill such as Safari or Chrome, you will need to have your employees deactivate the feature. Turning off auto-fill take one click in the Settings or Preferences menu. If you want to take additional precautions to avoid such phishing attacks, have your employees switch to Microsoft Edge or Firefox; these browsers don’t allow multi-field auto-fill at all.
Concerned that your employees might be engaging in practices that put your business’ cyber security at risk? Our team of experts can evaluate your data security procedures and see if you have any weak points that are putting your company at risk. Contact us today at (415) 294-5250 or firstname.lastname@example.org to learn more.