Anti-analysis checks are used by phishing sites to detect when they're being accessed by security teams and display benign content rather than the real phishing site.
Phishers are in a constant race with security teams: how many victims can they compromise before their site is shut down.
By adding an "antibot" script to their phishing kit, phishers can increase the time it takes for security teams to identify and report the site:
When a phisher sends out their phishing site via SMS messages, they only expect the site to be viewed by mobile browsers. But, security teams generally aren't using mobiles so this makes for a great opportunity for the phisher to filter by the browser user agent.
Luckily, all major browsers let you spoof your user agent using their developer tools:
Many phishing sites impersonate companies who only have customers in one or a small number of countries. In these cases, phishers can restrict access to the phishing site to just those targeted countries.
Although this usually doesn't stop security teams discovering the site (as they're likely in the same country as their customers), but it does impact abuse teams at hosting providers. The phisher can easily choose a hosting provider outside their target country and so when their abuse team reviews a report they may be unable to see any malicious content.
To bypass geo IP restrictions, ensure you're using a VPN whose traffic exits in the targeted country.
Phishers want their sites to avoid detection for as long as possible which means avoiding automated security scanners. As these scanners are running on servers hosted in datacenters, phishers can reject requests from IPs known to belong to datacenters.
To bypass residential IP restrictions, use a VPN or proxy solution which routes through residential IPs.
Users are completely used to passing CAPTCHA tests and so a page like this arouses no suspicion:
But for a security team trying to detect phishing sites, this imposes TODO
The most common way to do this is using something like Headless Chrome, but by default this is very obvious to phishers.
A phishing site can simply look for the
navigator.webdriver property and then not display any phishing content:
The navigator.webdriver property is true when in:
Chrome: The --enable-automation or the --headless flag or the --remote-debugging-port is used.
Firefox: The marionette.enabled preference or --marionette flag is passed.
Like any other website, there's two places phishers can add anti-analysis checks:
Server-side anti-analysis checks are the hardest to reverse engineer because the code isn't available to analyse.
But, these checks are limited to the data sent in the HTTP request to the server:
In particular, this means they can't do anything to check whether a headless browser is being used.
In contrast, client-side anti-analysis checks are significantly easier to reverse engineer and bypass. Either: