Hiding in Plain Sight – Obfuscation Techniques in Phishing Attacks

Unfortunately for the organizations and individuals they target, it’s no longer necessary for cybercriminals to code up their own sophisticated attacks. Phishing and spam kits, for example, are complete, off the shelf tools that even inexperienced cybercriminals can use to deploy fake websites and spam massive user lists to lure them to these sites. And these sites and lures are effective, especially when they resemble legitimate websites like Dropbox or Google.

These sites aren’t just effective, though. They are also increasingly difficult to detect, making use of advanced obfuscation techniques to hide their real purpose. Phishing kits use a variety of encoding and JavaScript to prevent both users and security vendors from determining that the landing pages are anything other than harmless text or benign functions for rendering HTML.

Proofpoint researchers analyzed seven different obfuscation techniques on phishing landing pages, ranging from a base64 refresh to multibyte xor encoding. The complete analysis can be found here with deep dives into the code behind these techniques that are appearing in modern phishing kits.

For individuals and organizations, the dealing with this level of sophistication requires a multifaceted approach. Not only should both endpoints and networks be protected against phishing email lures and potentially malicious web pages, but users need to be savvy about the warning signs of a phishing attack. Strange URLs and sites asking for personal information unexpectedly are both red flags, but comprehensive user education remains critical to protecting networks and users alike.

One response to “Hiding in Plain Sight – Obfuscation Techniques in Phishing Attacks

  1. We stumbled over here different web page and thought I might as well check things out. I like what I see so i am just following you. Look forward to looking over your web page repeatedly.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.