Hiding Phishing Attack. Deception.


The basic attack we discussed earlier uses a screenshot that is fairly good at deceiving the detection methods, but makes the website feel static. Links don't get highlighted when a victim puts the cursor over them, and the website is lacking any animation. Static screenshots could be fingerprinted, so the attackers are often left with a choice of stripping down the target website HTML and repurpose it. This makes it even easier to detect.

One of the detection method out there is to look for keywords like "Log In" and "Sign On" in the HTML code alongside with the target brand name. To deceive this detection mechanism attackers can use the HTML codes of the letters. This is an example of the phrase "Sign On" in the website title taken from a phishing kit:

<title>
    &#83;&#105;&#103;&#110;&#32;&#79;&#110;
</title>

We can take it a step further by using non-ASCII letters that get displayed similarly on the screen. For example, letters like "a", "c", "e", "o", "p" in Cyrillic layout are almost identical to their ASCII counterparts, but have different codes.

Check out the difference: "Sign On" and "Sign Оn". It doesn't look different on my screen, but the second one uses a Cyrillic Capital Letter "О" (code 1054) instead of an ASCII Capital Letter "O" (code 79).

Since this is known for a long time and the detection systems have evolve to translate identical letters some attackers go even further and use symbols that are only roughly similar to the target ones. Example: "α" instead of "a" and "ί" instead of "i". This is a screenshot of a phishing website. Notice Credίt Cαrds and Onlίne Bαnking:

Sometimes attackers would even use little images for the letters to deceive the detection. The key point is to make sure it looks legitimate when rendered on the screen of a victim, but is not easily recognizable by an anti-phishing bot.

The last but not least is a trick that works surprisingly well is to scramble the letters in the middle of the words.

it deos not mttaer in waht oredr the ltteers in a wrod are,
the olny iprmoetnt tihng is taht the frist and lsat ltteer be at the rghit pclae

Of course it might not work if all the words on the page are scrambled, but proven to be effective if sprinkled around, and especially inside URLs.