IOK Rules: anti-analysis

Base64 & URL-encoded document body

To evade static analysis, the document body can be wrapped in several JavaScript functions such as `decodeURIComponent` and `atob` in order to evade analysis. This helps defeat simple scanners which don't evaluate JavaScript.

reCAPTCHA

To make it harder to analysts to get a good capture of a phishing site, some are using Google's reCAPTCHA service.

Base64-encoded document body

To evade static analysis, the document body can returned base64 encoded in the response where JavaScript can decode it and append it to the DOM. This helps defeat simple scanners which don't evaluate JavaScript.

testcookie NGINX anti-bot

`testcookie-nginx-module` is a basic anti-bot mechanism using a JavaScript-based challenge to defeat simple analysis by sandboxes which don't evaluate JavaScript.

Data-Content attribute obfuscation

Detects an obfuscation technique found being used by a phishing kit where it appends the content of the parent tag into the `data-content` attribute with the data being encoded using ASCII values to evade static analysis.

Class attribute obfuscation

Detects an obfuscation technique found being used by a TrustWallet phishing kit where it appends several repeating groups of characters to the class attribute of all HTML elements in the page.

rot13 encoded body

To evade static analysis, the document body can returned with each character rotated by some fixed amount in the response where JavaScript can decode it and append it to the DOM. This helps defeat simple scanners which don't evaluate JavaScript.

Hex-encoded document body

To evade static analysis, the document body can returned hex encoded in the response where JavaScript can decode it and append it to the DOM. This helps defeat simple scanners which don't evaluate JavaScript.