Threat actors improve the resiliency of phishing campaigns by concealing malicious content from security teams. Avoiding detection increases an attacker’s odds of reaching more victims and achieving a more lucrative outcome. There are many types of evasion techniques that can be used individually or in tandem. In this post we discuss active evasion, restricting by interaction.
Restricting by Interaction
Cybercriminals understand the online behavior of their targets. They know exactly how their target victim should respond to each piece of clickbait or other malicious resource. If a visitor displays typical user behavior, the threat actor will proceed with the attack. With nonstandard behavior, they will evade. For example, a victim should arrive by clicking on a socially engineered link, not by typing in the web address.
There are three types of restricting by interaction:
- Unique Passkey
- Single-Visit
- Session
Unique Passkey
One method of restricting by interaction is identifying targets based on a unique passkey. In the attack, the threat actor will embed information within a lure such as a query string. In our example below, the attacker uses a query string that says “login page.” If a victim interacts with the lure by clicking on the url, the threat will load properly. If not, the user will be restricted access to the malicious site.
This tactic is particularly effective against security researchers analyzing newly registered domains. Although the analyst may have the correct domain, they will not have the query string or unique passkey. Without the passkey, the threat will not visualize. Instead, it will appear benign.
Single Visit or IP Address
Another type of restricting by interaction operates on the idea that victims will visit a threat only one time. Undesired visitors, such as security researchers or automated systems, will often try to attempt to access a threat multiple times.
An attacker can identify these attempts by:
- Logging the IP addresses of all visitors
- Profiling by device or operating system
- Setting long-lived tracking cookies on visiting browsers
Sessions
An attacker may also identify targets based on the sequence of the user’s interactions, or sessions. This technique is based on the concept that a victim will always interact with the attack in the order it was intended. For example, a victim will initially interact with a lure, then visit the first page, then the second, and so on. Non-targets may detect potential threats, however they often identify the middle or end of the attack before the landing page.
An attacker can exploit this type of user behavior by providing a token, such as a tracking cookie, on the first page of the threat. By verifying the visitor has that cookie, the cybercriminal can confirm the correct sequence is being followed. If the cookie isn’t present, the criminal will restrict access to the malicious site.
Successfully evading non-targets is key to keeping phishing attacks active and profitable. Security teams should understand the various techniques threat actors use to remain undetected in order to maximize visibility into threats targeting their brand. To learn more about evasion techniques, check out our webinar: What Threat Actors Don’t Want You to Know: Active Evasion Techniques.
Additional Resources: