All browsers tested showed high block rates against socially engineered malware and phishing

AUSTIN, Texas – December 5, 2018 – NSS Labs, Inc., a global leader and trusted source for independent, fact-based cybersecurity guidance, today announced the release of its 2018 Web Browser Security Comparative Reports. These reports examine the abilities of three leading web browsers to protect users from socially engineered malware and phishing attacks.

Phishing attacks and socially engineered malware (SEM) are among the most prominent and impactful security threats facing users today. These attacks pose significant risk to individuals and organizations alike by threatening to compromise or acquire sensitive personal and corporate information. Phishing attacks are becoming increasingly complex and sophisticated, which makes them harder to visually detect prevent and more difficult to generally prevent.

For several years, the use of social engineering has accounted for the bulk of cyberattacks against consumers and enterprises. SEM attacks use a dynamic combination of social media, hijacked email accounts, and false notification of email accounts to take advantage of the implicit trust between contacts and to deceive victims into believing that links to malicious files are trustworthy.

The NSS Labs 2018 Web Browser Security Test assessed the average block rate, consistency of protection, amount of time required to add protection for new threats, and zero-day protection capabilities of leading browsers. The findings from the 2018 Web Browser Comparative Reports provide valuable insights to help both enterprises and end users establish a strong layer of defense and minimize risk through a secure browser experience.

Key Findings:

  • Phishing block rates ranged from 94.3% to 96.7%.
  • Zero-hour phishing protection ranged from 77.3% to 89.5%.
  • The average overall block rate for SEM was 99.7% when security capabilities built into the operating system (OS) were taken into account.
  • Built-in OS security contributed between 9.6% and 19.5% to the SEM security efficacy score for two of the three browsers tested.

Key Takeaways:

  • Immediate protection against new phishing URLs is critical. As phishing sites are discovered, they are taken down, often within a relatively short amount of time. Products that fail to add protection in a timely manner will expose users to greater risk.
  • To minimize risk, NSS Labs recommends that users select browsers with the following capabilities:
    • Higher phishing block rates, consistency of protection, and early protection against new threats
    • The right combination of OS and browser
  • Education is a key component of protection against SEM and phishing attacks. Users who are able to identify socially engineered attacks rely less on technology for protection against such attacks. NSS Labs recommends supplementing browser protection with user education to protect against attacks that bypass browser protections.

The 2018 Web Browser Comparative Reports:

  • The SEM tests comprised 81,729 test cases that included 1,196 unique suspicious samples. Ultimately, 708 samples met NSS Labs’ validation criteria and were included as part of the test.
  • The phishing tests comprised 56,669 test cases that included 2,943 unique and suspicious URLs. On average, 21 new validated URLs were added to the test per day; the number of URLs added each day varied according to fluctuating levels of criminal activity.

“The web browser is the first line of defense against web-borne threats,” said Jason Brvenik, Chief Technology Officer at NSS Labs. “Web-based attacks from socially engineered malware and phishing can be difficult to identify for even the most seasoned practitioner. Choosing a browser that provides an effective layer of defense against attacks reduces the burden on users and other deployed security controls. Since browsers often have visibility into threats before other security technologies that are deployed both on the network or endpoints, their selection and configuring can dramatically impact an organization’s security posture.”

The following browsers were tested:

  • Google Chrome: Version 69.0.3497
  • Microsoft Edge: Version 42.17134.1.0
  • Mozilla Firefox: Version 61

As with all NSS Labs group tests, there is no fee for participation, and the test methodology is available in the public domain to provide transparency and to help enterprises understand the factors behind test results.