Browser fingerprinting is one of many tactics phishing site authors use to evade security checks and lengthen the lifespan of malicious campaigns. While browser fingerprinting has been used by legitimate organizations to uniquely identify web browsers for nearly 15 years, it is now commonly exploited by cybercriminals. Today, it is considered widely used for phishing purposes, with a recent study showing one in four phishing sites using some form of this technique.
Browser fingerprinting has become a powerful tool in the cybercriminal’s arsenal, enabling phishing site operators to bypass security checks and extend the life of malicious campaigns. Originally developed for legitimate purposes—such as uniquely identifying web browsers—it has now been co-opted by threat actors. Today, it's a widespread tactic in phishing attacks, with research revealing that one in four phishing sites leverages some form of browser fingerprinting.
What Is Browser Fingerprinting?
Browser fingerprinting uses a variety of client-side checks to establish browser identities, which can then be used to detect bots or other undesirable web traffic. Numerous pieces of data can be collected as a part of fingerprinting, including:
- Time zone
- Language settings
- IP address
- Cookie settings
- Screen resolution
- Browser privacy
- User-agent string
While many legitimate providers use browser fingerprinting to detect bots and flag suspicious behavior, cybercriminals have adopted the same technique for more malicious ends. Phishing site operators now leverage browser fingerprinting to evade automated detection systems that might otherwise identify and block their sites. By deploying fingerprinting checks before loading content, threat actors can dynamically hide phishing elements, revealing them only to real users and staying one step ahead of security tools.
For example, Fortra has observed threat actors using browser fingerprinting in an effort to bypass the Google Ad review process. Because Google’s review process is semi-automated, the implementation of browser fingerprint checks allowed threat actors to identify when Google was viewing their ad destinations versus a normal user. If the threat actor suspected activity from Google, benign content was displayed. This led to reports of phish that were rejected by Google because no phishing content could be detected.
Browser fingerprinting examples
Cloudflare’s Bot Fight Mode is one example of a legitimate provider using browser fingerprinting techniques to identify and block bots.
Cloudflare’s Bot Fight Mode uses browser fingerprinting techniques to identify and block bots.
Every time a website is loaded with Bot Fight Mode, the Javascript below runs and sends the results back to Cloudflare. Depending on the results, you will either be presented with a captcha or blocked.
Below is an example of one of the browser fingerprinting checks implemented on a phishing site. On the first load, the site will execute the following encoded JavaScript:
If the Javascript is decoded, security teams will see it is obfuscated and can infer from the strings shown that it is requesting numerous browser properties and running tests to see the results.
Once the Javascript finishes, it generates a fingerprint and sends all the information back to the phishing site where the results are analyzed by the server. Depending on what it determines, either benign content or a phishing site will then be displayed.
In the following example, the large block of text contains significant amounts of data about the browser that is visiting the page.
This fingerprint contains every property of the browser, including information on screen dimensions, operating system, GPU hardware, time zone, and many other data points. All this information combined can make it very easy to determine if the browser is real or an emulator.
The following examples contain information that point to bot activity.
Example A: There is a discrepancy between the Platform and the UserAgent, indicating that the UserAgent has been changed.
Example A
Example B: The screen dimensions are conflicting, as the inner values are larger than the outer values.
Example B
Example C: The time zone offset is 0 or UTC, which indicates activity from a server and not a client system. The GPU information also reveals that this is a Linux system.
Example C
Any of the prior examples and information may be analyzed to determine the likelihood a visitor is a bot. In the case of the phishing site above, benign content will be displayed if the data pulled indicates it is not being accessed by a real browser. This kind of detection can identify nearly any out of the box browser emulation such as Curl, Puppeteer, Selenium, or headless Chrome.
In the past, crawlers could easily avoid detection by leveraging a proxy and changing its UserAgent. However, browser fingerprinting is very effective at identifying these automated systems, allowing site authors to alter their site content based on the results. Understanding the browser properties criminals are collecting when fingerprinting is critical for security teams to avoid suspicion from threat actors.
Fortra continuously researches browser fingerprinting and other evasive techniques employed by threat actors. Our detection infrastructure is constantly evolving to stay ahead of these tactics, ensuring that such countermeasures do not hinder threat identification and phishing content is reliably uncovered and exposed.