A common way for phishing sites to avoid detection is by presenting a fake 404 error page when requested using the "wrong" User Agent (or from the wrong GeoIP location).
These fake error pages exactly mimic the HTML of an Apache 404 page, but unless the threat actor has configured their site to hide it, there's two giveaways it's fake:
X-Powered-By: PHP headerPHPSESSID cookieThese are both clear evidence that the 404 page has been generated by PHP and not by Apache.
title: Fake Not Found page
description: |
A common way for phishing sites to avoid detection is by presenting a fake 404 error page when requested using the "wrong" User Agent (or from the wrong GeoIP location).
These fake error pages exactly mimic the HTML of an Apache 404 page, but unless the threat actor has configured their site to hide it, there's two giveaways it's fake:
- It sends an `X-Powered-By: PHP` header
- It sets a `PHPSESSID` cookie
These are both clear evidence that the 404 page has been generated by PHP and not by Apache.
detection:
notfoundPageFragments:
html|contains:
- "<title>404 Not Found</title>"
- "<p>The requested URL was not found on this server.</p>"
phpHeader:
headers|contains: "X-Powered-By: PHP"
phpCookie:
cookies|startswith: "PHPSESSID="
condition: notfoundPageFragments and (1 of php*)
tags:
- cloaking