Cybercriminals use evasion techniques to bypass scanning technologies and defeat human analysis in order to extend the life of phishing campaigns. There are a variety of evasion techniques and criminals often use multiple variations in tandem. In this post, we focus on active evasion, restricting non-targets by device.
Restricting by Device
Active evasion is any method an attacker uses to prevent people other than their intended target from becoming aware of or interacting with a threat. One technique of active evasion is restricting by user device. With this technique, threat actors will identify targets based on the type of device, operating system, or browser being used to access the malicious resource. Once this information is obtained, they will either present malicious content or choose to evade.
Restricting non-targets by device is accomplished by accessing the following information:
- User-Agent String
- Screensize or Viewport
- Device Motion and Orientation Events
User-Agent Blocking
User-agents (UA) are representations of the technology that is being used to access a website. The data available in a user-agent will communicate the operating system, browser, and content that should be displayed on the user’s device. The purpose of a UA string is to convey what type of content should be presented based on the device in use. For instance, if you are accessing a website from your phone, a UA string will automate viewing a mobile site versus the desktop version.
Accessing this information allows threat actors to determine what type of behavior they wish their attack to display. For example, if a threat actor’s intent is to exploit a Mac vulnerability, they will want to restrict access to individuals visiting from any non-Mac device.
User-agent blocking is the most common method of restricting non-target access to malicious material.
Screensize or Viewport
Another method of restricting by device is to classify users based on their screensize or viewport. In this technique, threat actors use Javascript to request visitor data in even greater detail than the UA string, including the window dimensions of their device. By accessing the window height and width of the visitor’s technology, the threat actor knows what type of device the target is using, and can decide whether to attack or evade.
Additionally, criminals may use this data to determine whether their phishing site is being accessed by a virtual device versus a standard PC. Security teams often use headless devices to detect and analyze suspected phishing sites.
Gyroscope
Threat actors also use data from mobile device sensors to determine how an attack should behave. This is most commonly seen with device motion and orientation events such as the gyroscope or accelerometer.
These sensors are activated when mobile browsers or applications are in use, and help determine whether a target is using a mobile device or simulated mobile browser. If the criminal receives a valid value when checking for the presence of these sensors, they can reasonably infer that they are dealing with a mobile device and display their behavior accordingly.
Cybercriminals use evasion to maximize their profit from phishing campaigns. Security teams should have visibility into these techniques in order to protect from threats targeting their organization. To learn more about Active Evasion Techniques, watch our webinar: What Threat Actors Don’t Want You to Know: Active Evasion Techniques.
Additional Resources: