By The PhishLabs Team | February 7, 2019
Phishing attacks are supposed to be visible. If you can’t see them, how could anyone possibly fall for them? Since the dawning of time for phishing attacks there has been a constant struggle between the threat actors creating phishing sites and the individuals and organizations combating them.
This has caused phishing attacks to evolve in to more complicated and stealthy traps over time. Phishing attacks are supposed to be viewed by as many people as possible in the hopes that a small percentage of those people would bite. However, due to more effective strategies in phishing detection and mitigation, threat actors are adjusting their strategy to hide themselves from those who would like to take their attacks offline.
Criminals are not only taking in to account how to get their phishing attacks to as many possible victims as they can, but more often we are seeing that these same threat actors heavily focus on the opposite side of the spectrum: attempting to hide their attacks from as many unwanted parties as possible. While blocking, the act or attempt to hide a threat actor’s digital fingerprints, in phishing attacks is not a new development, it is becoming more prevalent than ever before. We are seeing attackers constantly develop new strategies to prevent their attacks from being quickly found and mitigated.
Recently, we have observed an increase in cookie-based blocking and query-based blocking. Cookie based blocking takes advantage of cookies to allow a specific device to only view a phishing attack one time. After viewing this attack, the victim will no longer be able to see the phish, but rather a 403 or 404 page. Since the victim can’t view the attack again, they may be left wondering if they fell for a scam or not, which could delay them reporting it.
Query-based blocking usually requires a “key” – a set word or phrase in the query of the URL that will cause the phishing attack to resolve. This type of blocking is extremely effective because it essentially blocks anyone from viewing the phishing attack unless they received the phishing lure itself. Without the lure, you will not have the required key to enable the phish to resolve which could lead many to believe that the attack is no longer active. This is another method that can lead to delayed reporting by victims and a higher success rate for the attacking party.
The most common tactic threat actors use to hide phish is by IP blocking or geo-blocking. The level of geo-blocking in place varies wildly depending on what its end goal is. Almost all phishing attacks include at least a small amount of IP-based blocking, which is usually done through a .htaccess file where they will list a set of IP addresses that are denied access to view the malicious content.
However, there are more advanced forms of geo-blocking that can be used to add legitimacy to the phishing attack. For example, certain threat actors will only allow individuals to view a phish from a residential IP address located in the specific region of a financial institution or organization that they are targeting. This makes the phishing content viewable only by people who are associated with the target organization. This limits the amount of people who are not associated with the targeted organization from seeing the phish, and in turn less people will report it based on that suspicion.
Another tactic that has become increasingly more common is user-agent blocking. With the rise of SMS-based phishing attacks, we are seeing more phish that are not accessible from a desktop browser. This is when attackers prevent anyone from viewing their attacks unless they are using a mobile device. This is because many phishing sites are easier to spot on a desktop browser due to the full URL not always being shown on mobile devices. This is also a form of URL padding, which takes advantage of smaller screen sizes. This can make it significantly easier for the threat actor to fool potential victims in to believing that they are on a legitimate website.
Combating New Blocking Techniques
Each of these counter measures beg the question: how can we combat these new techniques? There are multiple tools that can help you spot phishing attacks that you were not meant to see. The two most helpful are proxy services and user-agent switching tools. Using a combination of these two tools you can allow your desktop or laptop to imitate the region or device that the phishing attack was meant to be received by.
In addition, when doing this through a desktop browser you will be able to see the full URL of the phishing attack, taking away the advantage that threat actors have when distributing attacks over mobile devices. Proxy switchers can also prevent cookie-based blocking in certain instances, although clearing your cookies is a much more effective strategy in these situations. As far as query-based blocking is concerned, the only real way to find the phishing content is to have the lure itself. Without it, you would have to rely on either being able to locate the phish kit for the attack or using prior intel on the threat actor that set up the phishing site.
Regardless of whether you can get malicious content to resolve, if you see something phishy it is good practice to report it immediately! As detailed, there are tactics in play designed to make you second guess yourself.
If you can find a way to get the phishing attack to resolve, make sure you include these details in your reports so that the responsible organizations have adequate information to confirm and take down any reported attacks. Any extra information that can be provided will only aid in the quickest mitigation possible.