Man
Professional
- Messages
- 3,070
- Reaction score
- 603
- Points
- 113
Phishing remains one of the most common and dangerous cyberattacks aimed at stealing credentials and other confidential user information.
New methods are constantly being developed to extend the life of a site, hide it from search engines and specialists.
In this article, we will look at the main methods that are used to achieve this goal.
1. Filtering by User-Agent
Filtering by User-Agent is based on the analysis of the HTTP request header, which indicates what device and browser the site visitor is using. If the site detects that the request comes from a search engine bot (for example, Googlebot), it can display a safe or legitimate page. This prevents search engines from indexing the phishing site.
Example:
2. IP Whitelist and Blacklist
You can also use IP whitelist and blacklist to control access to your phishing sites. IP addresses belonging to known search engines or information security organizations can be blocked or redirected to safe content.
Example:
3. Checking the Referrer header
The Referrer header indicates where the user came from. You can check this header to make sure that the referral came from the right source, such as a phishing email. If the referral came directly or from another source, the site shows a safe page.
Example:
4. JavaScript-based redirection
Another way is to use JavaScript to redirect users to a phishing site only when certain conditions are met. Bots usually do not execute JavaScript, which allows hiding phishing content from them.
For example:
5. Cookie-based authentication
Using unique cookies and a link that is sent with a phishing email. When the unique link is clicked, these cookies are set and the site checks for their presence on each subsequent request. If the cookies are missing, a secure page is displayed.
Example:
Conclusion
To hide your phishing sites from search engines and cybersecurity researchers, you can use: User-Agent filtering, IP whitelisting and blacklisting, Referrer header checking, JavaScript redirection, and cookie-based authentication - all of these methods help to avoid detection.
Continuing on the topic.
Another option for protecting a phishing site is to use a redirect site.
Such a site is used to redirect the target user to the main phishing site a few seconds after the initial request. This method allows you to bypass automatic scanners and parsers.
The redirect accepts the initial request from the user and displays a safe page (e.g., a page preloader).
After a pre-set interval (e.g., 1-2 seconds), the server redirects the user to the main phishing site using the Location HTTP header or with JavaScript.
Example:
However, bots and crawlers can also follow the link. To avoid this, obfuscation is necessary. There are various HTML obfuscation tools available for this purpose, and one of them is html-obfuscator. (github.com/BinBashBanana/html-obfuscator)
An HTML obfuscator converts HTML code into a format that is difficult for automated crawlers to read or analyze, but which will be correctly interpreted by web browsers.
This process may include encrypting links, scrambling the code, and inserting meaningless elements to make analysis more difficult.
An example of obfuscated HTML code:
New methods are constantly being developed to extend the life of a site, hide it from search engines and specialists.
In this article, we will look at the main methods that are used to achieve this goal.
1. Filtering by User-Agent
Filtering by User-Agent is based on the analysis of the HTTP request header, which indicates what device and browser the site visitor is using. If the site detects that the request comes from a search engine bot (for example, Googlebot), it can display a safe or legitimate page. This prevents search engines from indexing the phishing site.
Example:
Code:
user_agent = request.headers.get('User-Agent')
if 'Googlebot' in user_agent:
# Send Safe Content
else:
# Show phishing page2. IP Whitelist and Blacklist
You can also use IP whitelist and blacklist to control access to your phishing sites. IP addresses belonging to known search engines or information security organizations can be blocked or redirected to safe content.
Example:
Code:
ip_address = request.remote_addr
if ip_address in known_search_engine_ips:
# Send Safe Content
else:
# Show phishing page3. Checking the Referrer header
The Referrer header indicates where the user came from. You can check this header to make sure that the referral came from the right source, such as a phishing email. If the referral came directly or from another source, the site shows a safe page.
Example:
Code:
referrer = request.headers.get('Referer')
if referrer == expected_referrer:
# Show phishing page
else:
# Send Safe Content4. JavaScript-based redirection
Another way is to use JavaScript to redirect users to a phishing site only when certain conditions are met. Bots usually do not execute JavaScript, which allows hiding phishing content from them.
For example:
Code:
<script>
if (document.referrer == expected_referrer) {
window.location.href = "phishing_page.html";
}
</script>5. Cookie-based authentication
Using unique cookies and a link that is sent with a phishing email. When the unique link is clicked, these cookies are set and the site checks for their presence on each subsequent request. If the cookies are missing, a secure page is displayed.
Example:
Code:
cookie = request.cookies.get('phishing_cookie')
if cookie == expected_cookie_value:
# Show phishing page
else:
# Send Safe ContentConclusion
To hide your phishing sites from search engines and cybersecurity researchers, you can use: User-Agent filtering, IP whitelisting and blacklisting, Referrer header checking, JavaScript redirection, and cookie-based authentication - all of these methods help to avoid detection.
Continuing on the topic.
Another option for protecting a phishing site is to use a redirect site.
Such a site is used to redirect the target user to the main phishing site a few seconds after the initial request. This method allows you to bypass automatic scanners and parsers.
The redirect accepts the initial request from the user and displays a safe page (e.g., a page preloader).
After a pre-set interval (e.g., 1-2 seconds), the server redirects the user to the main phishing site using the Location HTTP header or with JavaScript.
Example:
Code:
<html>
<head>
<meta http-equiv="refresh" content="2;url=http://phishingsite.com">
<script type="text/javascript">
setTimeout(function() {
window.location.href = "http://phishingsite.com";
}, 2000);
</script>
</head>
<body>
<p>Loading...</p>
</body>
</html>However, bots and crawlers can also follow the link. To avoid this, obfuscation is necessary. There are various HTML obfuscation tools available for this purpose, and one of them is html-obfuscator. (github.com/BinBashBanana/html-obfuscator)
An HTML obfuscator converts HTML code into a format that is difficult for automated crawlers to read or analyze, but which will be correctly interpreted by web browsers.
This process may include encrypting links, scrambling the code, and inserting meaningless elements to make analysis more difficult.
An example of obfuscated HTML code:
Code:
<html>
<head>
<script type="text/javascript">
// Obfuscated code
document .write(decodeURIComponent(atob( 'JTNDbWVOYSUyMGhOdHAtZXF1a-
XYLMOQLMJ ISZWZyZXNoITIy JTIwY29udGVudCUZRCUyMjELMOI1MjB1cmwLMORodH-
RwcyUzQS8vZG9t YWLuMi95b3VyZXZpbGdpbnhzZxJ2ZXJsdXJlITIyJTNFITBB" )))
;
</script>
</head>
<body>
<p>Loading...</p>
</body>
</html>
