BitDam Blog

Alert: New Phishing Evasion Technique
Maor hizkiev
Maor hizkiev
3 minutes & 54 seconds read · September 13, 2020

Alert: New Phishing Evasion Technique

Aiming to decrease the chances of being detected and gaining more time before their phishing scam is exposed and blocked by response organizations, attackers use multiple evasion techniques. And they continue to be creative about it! 

Tracking these techniques closely, we see a variety of them. Here are a few evasion techniques that help phishing attacks bypass security solutions:  

  1. Mobile only – The link directs to the malicious webpage only if browsing from mobile devices, leveraging the fact that mobile devices are less secure than desktops and that users may pay less attention when browsing from their mobile.
  2. Javascript redirect on startup – since redirecting by the browser is easily detected by most security solutions, attackers set the redirect to malicious webpages to be done by the browser which goes below the security tools’ radar. 
  3. Timers before redirecting – the attack waits a few seconds before redirecting to the malicious link in order to evade security solutions that run for a limited timeframe.
  4. Button automation – the redirection to the malicious page is done only following clicking a button which verifies that the user is a real person. Security solutions don’t click it and therefore don’t “get to see” the malicious page and can’t detect the link as malicious. 
  5. Captcha defender – just like the simple button automation, the victim is redirected to the malicious URL only after clicking a captcha or a reCAPTCHA and being identified as a real person. Here again – if the security tool can’t access the malicious page, it definitely can’t detect it as malicious.

These techniques and others reduce security solutions’ effectiveness making it almost impossible to prevent phishing attacks. 


Evade with a click of a captcha  

In the past couple of weeks our researchers identified a drastic increase in the number of attacks using a captcha defender to go through security tools. And guess what, these phishing attacks indeed bypassed leading Secure Email Gateway (SEG) solutions and even Advanced Threat Protection products including Office ATP and Proofpoint TAP. 

The prevalence of this technique seen among BitDam’s customers grew by hundreds of percentages in the past couple of weeks, compared to the previous two weeks. Scanning all attacks from various feeds, we’ve observed the same trend in these feeds as well, driving us to the conclusion that this was added to popular phishing kits.  

It starts with what seems like an innocent email. Here is one example for a subject line: “New Sharedfile Received for BRAND“. Opening the email, it looks like the email contains several attachments and the user is requested to click a button to view them saying “BRAND uses Outlook Files to share documents securely”. Clicking it would lead to a captcha page that looks like this:

The next page would be the actual phishing URL. For example:

By now, you are probably wondering how common this technique is and who are the target victims. So…it is more common than you would imagine. We saw it targeting most of our customers which range from small and medium businesses to enterprises with many thousands of users from various industries and locations. This evasion technique was used in phishing attempts in Europe, North America and The Middle East. The attacks were almost always delivered via email. 

Perhaps the most interesting thing about the attacks that BitDam prevented among its customer base was that all of them were leading to fake Microsoft login pages. As you can see in these screenshots, they varied in their graphics, but Microsoft remains the number one target with hackers desiring to steal Microsoft user credentials. 

What can we do about it? 

Assuming you don’t want to be the next victim, I would start by checking if your email security vendor detects such attacks. You can simply register to BitDam Lucky Meter which will send you the most recent phishing (and malware) attacks as soon as they are released to the wild, and provide you with a simple dashboard so you can easily know what bypassed your current email security. BTW – it’s totally free. 

Of course, you should never enter your credentials to unknown websites, but that tip is pretty outdated. Everyone knows they shouldn’t click suspicious links but somehow there are more successful phishing scams every day. This means someone does click them, right? 

However, if you do come across a URL that you aren’t sure about and would like to scan for phishing before going on, you can always use this online phishing scanner that will give you a verdict in no time, letting you know if the link is a phishing scam.

Schedule a Demo

Enter your email to get a free trial invitation