Get The Latest Insights

By Jessica Ellis | January 9, 2020

Mobile Sensors (1)Every day our teams analyze millions of phish across the web, detected through emails, social media, text messages, and most other common digital vectors. Many phishing sites are easy to review and analyze. However, some threat actors that we track take steps to hide their attacks from people other than their intended victims. This is a defense mechanism that makes it harder to analyze their techniques, allowing them to keep their campaigns active for longer periods of time.

In a recent campaign, our Security Operations Center discovered a new and unique evasion technique. To date, this is one of the more sophisticated blocking techniques we have observed. It abuses an experimental feature available in select web browsers: device motion and orientation events. More specifically, the phishing attack abuses the gyroscope and accelerometers that have been built into smartphones for more than a decade. The most common uses of these sensors can be seen in those 3D images you see on Facebook, augmented reality street view on Google Maps, or even on Pokémon Go.

While these examples are apps, the same sensors can be activated on certain mobile browsers. By checking for the presence and state of these controls, a site can determine whether it is on a mobile device and behave differently in response.

Why Threat Actors Use Blocking

Many phishing attacks rely on volume. Besides BEC attacks or other highly-targeted phishing approaches, the more lures a threat actor can distribute, the greater the chances they get a return on their efforts. Security teams and email security technology will swat many of these away, but in the process someone will likely fall for the lure. This is not the case for BEC attacks and other highly-targeted attacks, which is the case for this particular campaign.

Attackers use blocking and evasion techniques to decrease the likelihood of being quickly detected by response organizations, and therefore increase the longevity of their attack. Additionally, attackers will leverage similar countermeasures to protect their tactics and techniques from being easily observed by rivals or security organizations. This is why they were determined to prevent analysts from detecting the attack. PhishLabs leverages advanced detection techniques powered by human intelligence in order to identify and defeat these countermeasures.

Mobile Sensor-Based Obfuscation Technique

Our team first detected this attack while analyzing lures sent via text message, which were attempting to impersonate a high-profile target within a financial institution. The messages use a typical social engineering technique to get their targets to click on a lookalike URL by claiming to have an important notice for the soon-to-be victim.

Our first indicator that the phishing site was being blocked quickly presented itself. Visiting the URL presented with a blank white page, and subsequent attempts to view it without altering our identity resulted in receiving 404 responses from the server. This is a sure sign that something sketchy is going on. When our analysis team viewed the source for blank page, we discovered heavily obfuscated JavaScript code. A variable with a cryptic name had been assigned to huge arrays of hexadecimal values, and other cryptic variables held arrays whose values were assigned to indexes within the first.

code snippet from mobile sensor evasion technique

Functions upon functions, each with indecipherable names and arguments, were calling out to each other. In these cases, obfuscation is the threat actors’ passive attempt to thwart casual onlookers. A quick look reveals a Gordian knot that isn’t worth the headache and most move along. With a tug here and a prod there, however, the mechanics were gradually revealed.

“Geolocation” … “setTimeout” … “addEventListener” … “DeviceOrientationEvent”

With the code partially deobfuscated, we began investigating each element. This led to the discovery that the threat actor was attempting to guarantee the victim is using a mobile device by using calls to the gyroscope and accelerometer. The next step was to give the phish a shot with a burner cell phone – nothing.

Sometimes attackers leverage multiple layers of countermeasures. So, we loaded the phone with a low-profile, region-specific proxy and tried again – Voila! The phishing content presented itself as if we were the intended target. With the content available, our SOC team was then able to properly action the threat like any other phishing or SMiShing attack.

Defanging the Blocking Technique

Just as the threat actor abuses specific features within mobile web browsers, analysts are able to make use of developer tools to thwart the blocking attempt. To defang the blocking technique, security researchers need to simulate the data produced by a smartphone’s accelerometer or gyroscope. This can be done with browser-based developer tools.

orientation (002)

Once the threat has been unblocked, it can be analyzed like any other phishing threat. Our Digital Risk Protection team was able to defang said threat, have the phishing page taken down, and protect the financial institution that was being targeted.

Additional Resources: