www.proofpoint.com
Open in
urlscan Pro
2a02:e980:107::cf
Public Scan
URL:
https://www.proofpoint.com/us/blog/threat-insight/are-you-sure-your-browser-date-current-landscape-fake-browser-updates
Submission: On October 17 via api from TR — Scanned from DE
Submission: On October 17 via api from TR — Scanned from DE
Form analysis
3 forms found in the DOM/us
<form action="/us" data-region="us" data-language="en">
<input type="text" name="search_block_form" placeholder="Search">
<input type="submit">
</form>
<form id="mktoForm_10895" data-mkto-id="10895" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label=""
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft js-visible mkto-form-processed" novalidate="novalidate" style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 150px;">
<div class="mktoAsterix">*</div>Business Email:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email *" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 200px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoFieldWrap mk-form__checkbox-field">
<div class="blog-subscribe__select-box">Select</div><label for="blogInterest" id="LblblogInterest" class="mktoLabel mktoHasWidth mk-form__checkbox-label" style="width: 150px;">
<div class="mktoAsterix">*</div>Blog Interest:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div>
<div class="mktoLogicalField mktoCheckboxList mktoHasWidth" style="width: 200px;"><input name="blogInterest" id="mktoCheckbox_185044_0" type="checkbox" value="All"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_0 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_0" id="LblmktoCheckbox_185044_0">All</label><input name="blogInterest" id="mktoCheckbox_185044_1" type="checkbox" value="Archiving and Compliance"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_1 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_1" id="LblmktoCheckbox_185044_1">Archiving and Compliance</label><input name="blogInterest" id="mktoCheckbox_185044_2" type="checkbox" value="CISO Perspectives"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_2 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_2" id="LblmktoCheckbox_185044_2">CISO Perspectives</label><input name="blogInterest" id="mktoCheckbox_185044_3" type="checkbox" value="Cloud Security"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_3 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_3" id="LblmktoCheckbox_185044_3">Cloud Security</label><input name="blogInterest" id="mktoCheckbox_185044_4" type="checkbox" value="Corporate News"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_4 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_4" id="LblmktoCheckbox_185044_4">Corporate News</label><input name="blogInterest" id="mktoCheckbox_185044_5" type="checkbox" value="Email and Cloud Threats"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_5 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_5" id="LblmktoCheckbox_185044_5">Email and Cloud Threats</label><input name="blogInterest" id="mktoCheckbox_185044_6" type="checkbox" value="Engineering Insights"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_6 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_6" id="LblmktoCheckbox_185044_6">Engineering Insights</label><input name="blogInterest" id="mktoCheckbox_185044_7" type="checkbox" value="Information Protection"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_7 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_7" id="LblmktoCheckbox_185044_7">Information Protection</label><input name="blogInterest" id="mktoCheckbox_185044_8" type="checkbox" value="Insider Threat Management"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_8 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_8" id="LblmktoCheckbox_185044_8">Insider Threat Management</label><input name="blogInterest" id="mktoCheckbox_185044_9" type="checkbox" value="Remote Workforce Protection"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_9 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_9" id="LblmktoCheckbox_185044_9">Remote Workforce Protection</label><input name="blogInterest" id="mktoCheckbox_185044_10" type="checkbox" value="Security Awareness Training"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_10 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_10" id="LblmktoCheckbox_185044_10">Security Awareness Training</label><input name="blogInterest" id="mktoCheckbox_185044_11" type="checkbox" value="Security Briefs"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_11 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_11" id="LblmktoCheckbox_185044_11">Security Briefs</label><input name="blogInterest" id="mktoCheckbox_185044_12" type="checkbox" value="Threat Insight"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_12 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_12" id="LblmktoCheckbox_185044_12">Threat Insight</label></div><span id="InstructblogInterest" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees_Picklist__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="State" class="mktoField mktoFieldDescriptor mktoFormCol" value="State/Province" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="Website" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium_Detail__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="www-pfpt" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbasesid" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandBase_Data_Source" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Primary_Product_Interest__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Post_ID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmcampaign" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmterm" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="db_employee_count" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Unsubscribed" class="mktoField mktoFieldDescriptor mktoFormCol" value="0" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Submit</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="10895" placeholder=""><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="309-RHV-619" placeholder=""><input type="hidden" name="Website_Conversion_URL__c" class="mktoField mktoFieldDescriptor"
value="https://www.proofpoint.com/us/blog/threat-insight/are-you-sure-your-browser-date-current-landscape-fake-browser-updates"><input type="hidden" name="gAClientID" class="mktoField mktoFieldDescriptor" value="2125080915.1697556672">
</form>
<form data-mkto-id="10895" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label=""
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft" novalidate="novalidate"
style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>
Text Content
Skip to main content Products Solutions Partners Resources Company ContactLanguages Support Log-in Digital Risk Portal Email Fraud Defense ET Intelligence Proofpoint Essentials Sendmail Support Log-in Main Menu Aegis Threat Protection Platform Disarm BEC, phishing, ransomware, supply chain threats and more. Sigma Information Protection Platform Defend your data from careless, compromised and malicious users. Identity Threat Defense Platform Prevent identity risks, detect lateral movement and remediate identity threats in real time. Intelligent Compliance Platform Reduce risk, control costs and improve data visibility to ensure compliance. Premium Services Leverage proactive expertise, operational continuity and deeper insights from our skilled experts. New threat protection solution bundles with flexible deployment options AI-powered protection against BEC, ransomware, phishing, supplier risk and more with inline+API or MX-based deployment Learn More Solutions by Topic Combat Email and Cloud Threats Protect your people from email and cloud threats with an intelligent and holistic approach. Change User Behavior Help your employees identify, resist and report attacks before the damage is done. Combat Data Loss and Insider Risk Prevent data loss via negligent, compromised and malicious insiders by correlating content, behavior and threats. Modernize Compliance and Archiving Manage risk and data retention needs with a modern compliance and archiving solution. Protect Cloud Apps Keep your people and their cloud apps secure by eliminating threats, avoiding data loss and mitigating compliance risk. Prevent Loss from Ransomware Learn about this growing threat and stop attacks by securing today’s top ransomware vector: email. Secure Microsoft 365 Implement the very best security and compliance solution for your Microsoft 365 collaboration suite. Defend Your Remote Workforce with Cloud Edge Secure access to corporate resources and ensure business continuity for your remote workers. Why Proofpoint Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. Solutions by Industry Federal Government State and Local Government Higher Education Financial Services Healthcare Mobile Operators Internet Service Providers Small and Medium Businesses Partner Programs Channel Partners Become a channel partner. Deliver Proofpoint solutions to your customers and grow your business. Archive Extraction Partners Learn about the benefits of becoming a Proofpoint Extraction Partner. Global System Integrator (GSI) and Managed Service Provider (MSP) Partners Learn about our global consulting and services partners that deliver fully managed and integrated solutions. Technology and Alliance Partners Learn about our relationships with industry-leading firms to help protect your people, data and brand. Social Media Protection Partners Learn about the technology and alliance partners in our Social Media Protection Partner program. Proofpoint Essentials Partner Programs Small Business Solutions for channel partners and MSPs. Partner Tools Become a Channel Partner Channel Partner Portal Resource Library Find the information you're looking for in our library of videos, data sheets, white papers and more. Blog Keep up with the latest news and happenings in the ever‑evolving cybersecurity landscape. Podcasts Learn about the human side of cybersecurity. Episodes feature insights from experts and executives. New Perimeters Magazine Get the latest cybersecurity insights in your hands – featuring valuable knowledge from our own industry experts. Threat Glossary Learn about the latest security threats and how to protect your people, data, and brand. Events Connect with us at events to learn how to protect your people and data from ever‑evolving threats. Customer Stories Read how Proofpoint customers around the globe solve their most pressing cybersecurity challenges. Webinars Browse our webinar library to learn about the latest threats, trends and issues in cybersecurity. Watch now to earn your CPE credits Security Hubs Get free research and resources to help you protect against threats, build a security culture, and stop ransomware in its tracks. Threat Hub CISO Hub Cybersecurity Awareness Hub Ransomware Hub Insider Threat Management Hub About Proofpoint Proofpoint is a leading cybersecurity company that protects organizations' greatest assets and biggest risks: their people. Why Proofpoint Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. Careers Stand out and make a difference at one of the world's leading cybersecurity companies. News Center Read the latest press releases, news stories and media highlights about Proofpoint. Privacy and Trust Learn about how we handle data and make commitments to privacy and other regulations. Environmental, Social, and Governance Learn about our people-centric principles and how we implement them to positively impact our global community. Support Access the full range of Proofpoint support services. Learn More English (Americas) English (Europe, Middle East, Africa) English (Asia-Pacific) Español Deutsch Français Italiano Português 日本語 한국어 Products Overview Email Security and Protection Email Protection Email Fraud Defense Secure Email Relay Threat Response Auto-Pull Sendmail Open Source Essentials for Small Business Advanced Threat Protection Targeted Attack Protection in Email Threat Response Emerging Threats Intelligence Security Awareness Training Assess Change Behavior Evaluate Overview Information Protection Enterprise Data Loss Prevention (DLP) Insider Threat Management Intelligent Classification and Protection Endpoint Data Loss Prevention (DLP) Email Data Loss Prevention (DLP) Email Encryption Data Discover Cloud Security Isolation Cloud App Security Broker Web Security Overview Identity Threat Detection and Response Spotlight Shadow Overview Compliance and Archiving Automate Capture Patrol Track Archive Discover Supervision Digital Risk Protection Social Media Protection Domain Fraud Monitoring Executive and Location Threat Monitoring Overview Premium Services Managed Email Threat Protection Managed Information Protection Managed Security Awareness Recurring Consultative Services Technical Account Managers Threat Intelligence Services People-Centric Security Program Products Solutions Partners Resources Company English (Americas) English (Europe, Middle East, Africa) English (Asia-Pacific) Español Deutsch Français Italiano Português 日本語 한국어 Login Support Log-in Digital Risk Portal Email Fraud Defense ET Intelligence Proofpoint Essentials Sendmail Support Log-in Contact Aegis Threat Protection Platform Disarm BEC, phishing, ransomware, supply chain threats and more. Sigma Information Protection Platform Defend your data from careless, compromised and malicious users. Identity Threat Defense Platform Prevent identity risks, detect lateral movement and remediate identity threats in real time. Intelligent Compliance Platform Reduce risk, control costs and improve data visibility to ensure compliance. Premium Services Leverage proactive expertise, operational continuity and deeper insights from our skilled experts. Overview Email Security and Protection Email Protection Email Fraud Defense Secure Email Relay Threat Response Auto-Pull Sendmail Open Source Essentials for Small Business Advanced Threat Protection Targeted Attack Protection in Email Threat Response Emerging Threats Intelligence Security Awareness Training Assess Change Behavior Evaluate Overview Information Protection Enterprise Data Loss Prevention (DLP) Insider Threat Management Intelligent Classification and Protection Endpoint Data Loss Prevention (DLP) Email Data Loss Prevention (DLP) Email Encryption Data Discover Cloud Security Isolation Cloud App Security Broker Web Security Overview Identity Threat Detection and Response Spotlight Shadow Overview Compliance and Archiving Automate Capture Patrol Track Archive Discover Supervision Digital Risk Protection Social Media Protection Domain Fraud Monitoring Executive and Location Threat Monitoring Overview Premium Services Managed Email Threat Protection Managed Information Protection Managed Security Awareness Recurring Consultative Services Technical Account Managers Threat Intelligence Services People-Centric Security Program New threat protection solution bundles with flexible deployment options AI-powered protection against BEC, ransomware, phishing, supplier risk and more with inline+API or MX-based deployment Learn More Solutions by Topic Combat Email and Cloud Threats Protect your people from email and cloud threats with an intelligent and holistic approach. Change User Behavior Help your employees identify, resist and report attacks before the damage is done. Combat Data Loss and Insider Risk Prevent data loss via negligent, compromised and malicious insiders by correlating content, behavior and threats. Modernize Compliance and Archiving Manage risk and data retention needs with a modern compliance and archiving solution. Protect Cloud Apps Keep your people and their cloud apps secure by eliminating threats, avoiding data loss and mitigating compliance risk. Prevent Loss from Ransomware Learn about this growing threat and stop attacks by securing today’s top ransomware vector: email. Secure Microsoft 365 Implement the very best security and compliance solution for your Microsoft 365 collaboration suite. Defend Your Remote Workforce with Cloud Edge Secure access to corporate resources and ensure business continuity for your remote workers. Why Proofpoint Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. Solutions by Industry Federal Government State and Local Government Higher Education Financial Services Healthcare Mobile Operators Internet Service Providers Small and Medium Businesses Partner Programs Channel Partners Become a channel partner. Deliver Proofpoint solutions to your customers and grow your business. Archive Extraction Partners Learn about the benefits of becoming a Proofpoint Extraction Partner. Global System Integrator (GSI) and Managed Service Provider (MSP) Partners Learn about our global consulting and services partners that deliver fully managed and integrated solutions. Technology and Alliance Partners Learn about our relationships with industry-leading firms to help protect your people, data and brand. Social Media Protection Partners Learn about the technology and alliance partners in our Social Media Protection Partner program. Proofpoint Essentials Partner Programs Small Business Solutions for channel partners and MSPs. Partner Tools Become a Channel Partner Channel Partner Portal Resource Library Find the information you're looking for in our library of videos, data sheets, white papers and more. Blog Keep up with the latest news and happenings in the ever‑evolving cybersecurity landscape. Podcasts Learn about the human side of cybersecurity. Episodes feature insights from experts and executives. New Perimeters Magazine Get the latest cybersecurity insights in your hands – featuring valuable knowledge from our own industry experts. Threat Glossary Learn about the latest security threats and how to protect your people, data, and brand. Events Connect with us at events to learn how to protect your people and data from ever‑evolving threats. Customer Stories Read how Proofpoint customers around the globe solve their most pressing cybersecurity challenges. Webinars Browse our webinar library to learn about the latest threats, trends and issues in cybersecurity. Watch now to earn your CPE credits Security Hubs Get free research and resources to help you protect against threats, build a security culture, and stop ransomware in its tracks. Threat Hub CISO Hub Cybersecurity Awareness Hub Ransomware Hub Insider Threat Management Hub About Proofpoint Proofpoint is a leading cybersecurity company that protects organizations' greatest assets and biggest risks: their people. Why Proofpoint Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. Careers Stand out and make a difference at one of the world's leading cybersecurity companies. News Center Read the latest press releases, news stories and media highlights about Proofpoint. Privacy and Trust Learn about how we handle data and make commitments to privacy and other regulations. Environmental, Social, and Governance Learn about our people-centric principles and how we implement them to positively impact our global community. Support Access the full range of Proofpoint support services. Learn More Zeigen Sie weiterhin Inhalte für Ihren Standort an United StatesUnited KingdomFranceDeutschlandEspaña日本AustraliaItaliaFortsetzen Blog Threat Insight Are You Sure Your Browser is Up to Date? The Current Landscape of Fake Browser Updates ARE YOU SURE YOUR BROWSER IS UP TO DATE? THE CURRENT LANDSCAPE OF FAKE BROWSER UPDATES Share with your network! October 17, 2023 Dusty Miller KEY TAKEAWAYS * Proofpoint is tracking multiple different threat clusters that use similar themes related to fake browser updates. * Fake browser updates abuse end user trust with compromised websites and a lure customized to the user's browser to legitimize the update and fool users into clicking. * Threat actors do not send emails to share the compromised websites. The threat is only in the browser and can be initiated by a click from a legitimate and expected email, social media site, search engine query, or even just navigating to the compromised site. * The different campaigns use similar lures, but different payloads. It is important to identify which campaign and malware cluster the threat belongs to help guide defender response. OVERVIEW Proofpoint is currently tracking at least four distinct threat clusters that use fake browser updates to distribute malware. Fake browser updates refer to compromised websites that display what appears to be a notification from the browser developer such as Chrome, Firefox, or Edge, informing them that their browser software needs to be updated. When a user clicks on the link, they do not download a legitimate browser update but rather harmful malware. Based on our research, TA569 has used fake browser updates for over five years to deliver SocGholish malware, but recently other threat actors have been copying the lure theme. Each threat actor uses their own methods to deliver the lure and payload, but the theme takes advantage of the same social engineering tactics. The use of fake browser updates is unique because it abuses the trust end users place in both their browser and the known sites that they visit. Threat actors that control the fake browser updates use JavaScript or HTML injected code that directs traffic to a domain they control, which can potentially overwrite the webpage with a browser update lure specific to the web browser that the potential victim uses. A malicious payload will then automatically download, or the user will receive a prompt to download a “browser update,” which will deliver the payload. FAKE BROWSER UPDATE LURE AND EFFECTIVENESS The fake browser update lures are effective because threat actors are using an end-user's security training against them. In security awareness training, users are told to only accept updates or click on links from known and trusted sites, or individuals, and to verify sites are legitimate. The fake browser updates abuse this training because they compromise trusted sites and use JavaScript requests to quietly make checks in the background and overwrite the existing, website with a browser update lure. To an end user, it still appears to be the same website they were intending to visit and is now asking them to update their browser. Proofpoint has not identified threat actors directly sending emails containing malicious links, but, due to the nature of the threat, compromised URLs are observed in email traffic in a variety of ways. They are seen in normal email traffic by regular end users who are unaware of the compromised websites, in monitoring emails such as Google alerts, or in mass automated email campaigns like those distributing newsletters. This creates a situation where these emails are considered to be malicious during the time the site is compromised. Organizations should not treat the fake browser update threats as only an email problem, as end users could visit the site from another source, such as a search engine, social media site, or simply navigate to the site directly and receive the lure and potentially download the malicious payload. Each campaign uniquely filters traffic to hide from researchers and delay discovery, but all the methods are effective at filtering. While this may reduce the potential spread of malicious payloads, it enables actors to maintain their access to the compromised sites for longer periods of time. This can complicate the response, because with the multiple campaigns and changing payloads, responders must take time to figure out what they need to look for and identify the relevant indicators of compromise (IOCs) at the time of the download. CAMPAIGNS The current landscape includes four different threat clusters using unique campaigns to deliver fake browser update lures. Due to the similarity in the lures and attack chain, some public reporting has incorrectly attributed the activity to the same threat cluster. Based on Proofpoint's distinct visibility, Proofpoint researchers were able to break these into more granular clusters. Proofpoint’s research focuses on the fake browser update landscape overall, to provide details on how defenders can identify each unique campaign, as well as additional links to additional Proofpoint or third-party reporting containing in-depth research and analysis. For example, Jérôme Segura of Malwarebytes has put together a good resource showing some of the images each campaign uses as lures on GitHub. Each campaign has some general shared characteristics that can be described as three distinct stages of the campaign. “Stage 1” is a malicious injection on a legitimate, but compromised, website. “Stage 2” refers to the traffic to and from the actor-controlled domain that does most of the filtering and hosts the lure and malicious payload. “Stage 3” is the execution of the payload on a host after download. SOCGHOLISH SocGholish is the primary threat that people think of when talking about a fake browser update lure and it has been well documented over the years. Proofpoint typically attributes SocGholish campaigns to a threat actor known as TA569. Proofpoint has observed TA569 act as a distributor for other threat actors. Currently, TA569 is using three different methods to direct traffic from the stage 1 compromised websites to their actor-controlled stage 2 shadowed domains. The first method is using an injection that utilizes the Keitaro traffic distribution system (TDS) via a variety of actor-controlled domains. Those domains will filter some requests out before routing to the stage 2 domains. Most of the injects that point to Keitaro TDS URLs will contain multiple different redirect domains in the same file, as seen in figure 2 below. The second method TA569 uses is Parrot TDS (also known as NDSW/NDSX) to obfuscate their injected code and apply similar filtering before routing requests to the stage 2 domains. Compromised websites may contain as many as 10 malicious JavaScript files that all contain Parrot TDS injections leading to SocGholish payloads. The third method TA569 uses is a simple JavaScript asynchronous script request in compromised websites’ HTML that reaches out to a stage 2 domain. The variety of injections make it difficult for defenders to both identify the location of the malicious injection and reproduce the traffic due to the various stages of filtering. Each of these methods reaches out to a stage 2 domain which does additional filtering and will deliver the fake browser update lure and payload to traffic that passes the filtering. The payload can be either a plain JavaScript (.js) file, usually named “Update.js”, or a zipped JavaScript file. If the payload is executed by the user, it will first fingerprint the host via wscript. Depending on the results of the fingerprinting, the JavaScript will either quit, load a remote access trojan (RAT), or wait for further commands from the threat actor, which has been reported leading to Cobalt Strike or BLISTER Loader. Proofpoint has recently observed SocGholish infections leading to AsyncRAT and NetSupport RAT as the RAT payloads. Figure 1. SocGholish fake update lure spoofing a Chrome update. Figure 2. Keitaro TDS inject example. Figure 3. Parrot (NDSW) inject example. Figure 4. Asynchronous inject example. ROGUERATICATE/FAKESG The second fake browser update our researchers identified is known as RogueRaticate or FakeSG. Proofpoint first identified this activity in May 2023, and third-party researchers dubbed it a copy of the existing and high-volume SocGholish campaigns. The activity may have started in the wild as early as November 2022. Proofpoint does not attribute the RogueRaticate activity to a tracked threat actor at this time, and it has consistently been distinctly differentiated from SocGholish campaigns. RogueRaticate injects heavily obfuscated JavaScript code into existing JavaScript files on stage 1 websites. The injected JavaScript reaches out to a stage 2 domain. The stage 2 domain hosts a Keitaro TDS that filters out unwanted requests and responds with a blank “body” value in a JSON response. When it identifies a target to receive the lure, it sends the lure double Base64 encoded in the “body” value. The lure contains a button which, if pressed, uses an HTML href attribute to download the payload from a separate compromised site, typically hosted on WordPress. The fake update payload for the RogueRaticate campaigns has always involved an HTML Application (.hta) file. The HTA is either zipped or downloaded via a shortcut (.url) file that points to the .lnk. The .hta file typically loads a malicious NetSupport RAT payload onto the host via the same stage 2 domain that hosted the malicious payload. Figure 5. Example RogueRaticate fake update lure spoofing a Chrome update. Figure 6. Example RogueRaticate inject. ZPHP/SMARTAPESG Proofpoint first identified another new cluster of fake update campaigns leading to NetSupport RAT in June 2023. The activity was first publicly reported by Trellix in August 2023. This activity has been referred to as ZPHP by Proofpoint or SmartApeSG in public documentation. The inject is a simple script object that is added into a compromised website’s HTML code. It makes an asynchronous request to either “/cdn/wds.min.php” or “/cdn-js/wds.min.php” on a stage 2 domain. The response is heavily obfuscated JavaScript code that will attempt to create an iframe and make a second request to “/zwewmrqqgqnaww.php?reqtime=<epoch time>” which appears to filter out undesired requests and return the browser update lure to non-filtered requests. The payload is downloaded via a base64 encoded zip file. The zipped browser update payload usually contains a JavaScript (.js) file that will load a malicious NetSupport RAT payload onto the host. Proofpoint has also seen the .zip contain an executable (.exe) that loaded Lumma Stealer. Figure 7. Example ZPHP lure spoofing a Chrome update. Figure 8. Example ZPHP inject. Proofpoint does not currently attribute the ZPHP activity to an actor with a TA number designation. CLEARFAKE In August 2023, third-party researchers published details on a fake browser update threat activity known as ClearFake. Proofpoint subsequently identified consistent campaigns related to this cluster and observed a series of changes in the short amount of time while monitoring it. The inject is a base64 encoded script added to the HTML of the compromised webpage. Proofpoint observed the injection pointing to a variety of services including Cloudflare Workers, a file hosted on an actor’s GitHub, and most recently the blockchain network known as Binance Smart Chain. The initial request directs traffic to a stage 2 domain that hosts the Keitaro TDS filtering service to filter requests. The actor uses newly registered stage 2 domains, which, if a visitor passes the filtering, create an iFrame of the fake update lure hosted on the stage 2 domain. Clicking on the update button will result in a download of the payload which has been observed hosted on Dropbox and OneDrive. The observed payload was either an executable (sometimes zipped), .msi, and .msix that leads to the installation of a variety of stealers including Lumma, Redline, and Raccoon v2. Figure 9. Example ClearFake lure spoofing a Chrome update. Figure 10. Example ClearFake injection. Notably, Proofpoint has observed ClearFake display the fake update lures in certain languages to match the browser's set language, including French, German, Spanish, and Portuguese. Proofpoint does not attribute the ClearFake activity to an actor with a TA number designation. CONCLUSION Proofpoint has observed an increase in threat activity using fake browser updates to deliver a variety of malware including payloads. SocGholish and TA569 have demonstrated that compromising vulnerable websites to display fake browser updates works as a viable method for malware delivery, and new actors have learned from TA569 and started to adopt the lure in their own ways. These copycats may be using information stealers and RATs currently, but could easily pivot to being an initial access broker for ransomware. The activity detailed in this report can be hard for security teams to detect and prevent and may present difficulties with communicating the threat to end users due to the social engineering techniques and website compromises used by the threat actor. The best mitigation is defense in depth. Organizations should have network detections in place – including using the Emerging Threats ruleset – and use endpoint protection. Additionally, organizations should train users to identify the activity and report suspicious activity to their security teams. This is very specific training but can easily be integrated into an existing user training program. A tool such as Proofpoint’s Browser Isolation can also help prevent successful exploitation when compromised URLs are received via email and clicked on. Specific indicators of compromise (IOCs) associated with the identified activities change regularly, as the threat actors are routinely moving their infrastructure and changing details in their payloads. The infosec.exchange account @monitorsg is a useful public resource for following along with recent details on payloads and infrastructure changes. The Emerging Threats Ruleset has domain rules available for most of the current threats and is regularly updating and publishing new rules to block all fake browser update campaigns. HUNTING IOCS AND PAYLOAD EXAMPLES (AS OF 2023-09-28): SocGholish: C2 URI: /editContent 8bdc4c1cd197808056e50b8b958acd380bf8a69b63aedef3f9854173c6714b32 3fb9740940d44eef823b7ff17f0274a12345a6f238cf46a1133a9e39c7b97c62 RogueRaticate: Keitaro TDS Hosted on: 178.159.37.73 178.159.37.25 1d9900c8dbaa47d2587d08b334d483b06a39acb27f83223efc083759f1a7a4f6 08d9df800127f9fb7ff1a246346e1cf5cfef9a2521d40d6b2ab4e3614a19b772 ZPHP: Injects lead to paths: /cdn/wds.min.php /cdn-js/wds.min.php /cdn/zwmrqqgqnaww.php /cdn/zwewmrqqgqnaww.php e9580370160d39ef010dfdbfa614820cfe464507ce344a11bcbe760902297c8f 0b28e9df9daf8a3d0aa3dc8a066a34134916dfacd9ba5d25d78e097525f66492 ClearFake: Chrome lure on: /lander/chrome/_index.php 37bba90d20e429ce3fd56847e4e7aaf83c62fdd70a7dbdcd35b6f2569d47d533 ab282db6f1fc4b58272cef47522be19d453126b69f0e421da24487f54d611b2f Emerging Threats Signatures: (All Open Sigs available for free) “ET MALWARE SocGholish Domain in (DNS Lookup/TLS SNI) (<domain>)” “ET MALWARE SocGholish CnC Domain in (DNS Lookup/TLS SNI) (<domain>)” “ET EXPLOIT_KIT RogueRaticate Domain in (DNS Lookup/TLS SNI) (<domain>)” “ET EXPLOIT_KIT Keitaro Set-Cookie Inbound to RogueRaticate (4cdcb)" “ET EXPLOIT_KIT Keitaro Set-Cookie Inbound to RogueRaticate (3a7ee)" “ET EXPLOIT_KIT Keitaro Set-Cookie Inbound to ClearFake (71eb8)” “ET EXPLOIT_KIT ZPHP Domain in (DNS Lookup/TLS SNI) (<domain>)” Previous Blog Post Subscribe to the Proofpoint Blog * Business Email: Select * Blog Interest: AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight Submit About * Overview * Why Proofpoint * Careers * Leadership Team * News Center * Nexus Platform * Privacy and Trust Threat Center * Threat Hub * Cybersecurity Awareness Hub * Ransomware Hub * Threat Glossary * Threat Blog Products * Email Security & Protection * Advanced Threat Protection * Security Awareness Training * Cloud Security * Archive & Compliance * Information Protection * Digital Risk Protection * Product Bundles Resources * White Papers * Webinars * Data Sheets * Events * Customer Stories * Blog * Free Trial Connect * +1-408-517-4710 * Contact Us * Office Locations * Request a Demo Support * Support Login * Support Services * IP Address Blocked? * Facebook * Twitter * linkedin * Youtube * English (US) * English (UK) * English (AU) * Español * Deutsch * Français * Italiano * Português * 日本語 * 한국어 © 2023. All rights reserved. Terms and conditions Privacy Policy Sitemap