IOK Rules: cloaking

ipapi is a GeoIP service allowing you to get the country code and other information from an IP address. It's regularly used by phishing kits which want to hide themselves to analysts outside the country they're targeting. This is a very naive approach (often the entire phishing site is loaded but then immediately redirected away from), but is often enough to evade basic sandboxes.

A common way for phishing sites to avoid detection is by presenting a fake 404 error page when requested using the "wrong" User Agent (or from the wrong GeoIP location). These fake error pages exactly mimic the HTML of an Apache 404 page, but unless the threat actor has configured their site to hide it, there's two giveaways it's fake: - It sends an `X-Powered-By: PHP` header - It sets a `PHPSESSID` cookie These are both clear evidence that the 404 page has been generated by PHP and not by Apache.

The Chrome error page HTML is built into the browser: you should never see it in the response from a website. This is a clear sign that the site is employing cloaking/anti-analysis techniques.