Despite becoming a major threat over two decades ago, Phishing attacks are still a major technique used to steal credentials. Their use by threat actors hasn’t slowed down due to two main factors – they still require a relatively small amount of technical prowess to pull off, and they are still quite effective. Phishing attacks also have drawbacks, a major one of which is their short lifespan. As it is fairly easy for abuse team members of webhosting companies, registrars and other relevant entities to see that there’s malicious content in a Phishing URL by accessing it, these sites are often taken down relatively quickly. Even when a Phishing site is able to survive longer than average, as it may be hosted by an uncooperative webhost for example, the amount of time the malicious content is up is still relatively short compared to other threats, such as malware.

The longer a Phishing attack remains online the more credentials end up being stolen from victims, which translate to more records that can be sold off in the Dark Web or illegally accessed. Therefore, threat actors are incentivized to use any technique in the book to extend the lifespan on their attacks.

Following are several methods fraudsters implement to increase this lifespan:

1 . Use of Anti-Bot Technologies

A few weeks ago, Underdark.ai has reported on a new tool being offered for sale in the Dark Web. The tool, Limitless Anti-Bot, helps website owners to prevent automated tools from accessing their content. While the concept of such a technology is legitimate, for example news sites do not necessarily want Google to index and display their content without routing users to their website, it is also quite useful for Phishing operators.

Fraudsters have long known that most of the Phishing detection today is conducted automatically by crawlers that access the website, analyze its contents and report in case it is deemed as Phishing. These technologies can help identify such crawlers, prevent them from “seeing” the Phishing page, and therefore help the Phishing site remain undetected for longer. Bot detection solutions range from simple to complex and utilize many different techniques to separate “legitimate” users from automated scripts, such as behavioral analysis, challenge-response mechanisms and bot signature detection.

Limitless Anti-Bot doesn’t seem to be a legitimate tool that was repurposed for fraudulent activity, but a tool that was developed for fraudsters from the ground up, emphasizing the demand in the Dark Web for such solutions.

For more information on the use of anti-bot techniques, as well as Limitless Anti-Bot specifically, you can check out SlashNext‘s article here, who also wrote on the matter.

2. Deliberate Avoidance of Brand Names and Use of Vector Art

An additional approach to avoid detection by automated crawlers is to tweak the malicious content itself so that the impersonated brand (for example, a financial institution) will not be mentioned anywhere in the HTML. Fraudsters realize that part of the analysis performed by crawlers is to look for the name of their Phishing detection customers in the HTML content. If no customer brand appears in the HTML, it is less likely that the Phishing site would be reported as such by the crawler. The fact that the brand isn’t mentioned doesn’t affect the effectiveness of the Phishing – the brand name is still visible in the logo and the website design is still a carbon copy of the legitimate website.

In addition for looking at the content of the HTML, fraudsters are aware that crawlers also download website images and compare their contents to the customers’ logos. To avoid being flagged as a Phishing site based on the logo displayed, the fraudsters use vector art for the logo. Several online tools are available to turn raster images like PNGs, JPEGs and BMPs to scalable vector graphics, the code of which can then be embedded in the HTML.

Using code instead of an image format also opens up additional capabilities of hiding the code from analysis, as code can be obfuscated or minified.

3. Use of Refresh Header for HTTP Redirection

Originally discovered by Palo Alto Network’s Unit 42, fraudsters began using a non-standard redirection command which is executed by a browser but not by CURL. CURL is a standard library which gives scripts (such as PHP, Python, etc.) the ability to communicate with web servers. It is used in many crawlers, integrations and among other things – tools used to detect Phishing. If a Phishing sites implements a redirection that is only followed by browsers, potential victims are then successfully redirected to the scam while Phishing detection scripts do not.

That said, many tools today don’t rely on CURL alone, but utilize headless browsers to simulate a victim. In such cases, the use of Refresh Header shouldn’t prevent the tool from discovering the site.

For more information on this technique, we’ve written an article on the use of Refresh Header for HTTP Redirection, which you can read here.

4. Region Blocking Registrar/Webhosting Companies

While the aforementioned techniques focus on increasing the lifespan of an attack by avoiding detection, other techniques attempt to do the same after the Phishing site has been discovered. One such technique is region blocking the registrar and/or webhosting company.

The idea behind the technique is simple. As noted, the remediation of a Phishing attack involves taking it down (that’s what our service is for!) by reaching out to relevant entities such as the web hosting company and the registrar (if a domain was registered for use as part of the scam). Take down usually entails reaching out to these entities’ abuse department, notifying them of the attack and have them remove access to the malicious content. When an abuse department receives a take down request, they first access the web page to check it out for themselves. If they aren’t able to access the page due to region blocking, it would take them longer to figure out that the Phishing is still active, thus prolonging its lifespan.

In conclusion, while Phishing detection vendors have already developed solutions to handle such circumvention attempts, these techniques show that much like the rest of the cybercrime space, it is a constant arms race. Fraudsters will surely continue to come up with innovative ways to extend the lifespan of their attacks – and we will report on any further developments in the space.