In order to increase the lifespan of phishing attacks most threat actors implement evasion techniques to keep their phishing sites from being detected by security professionals.
One such blocking technique, Geoblocking by IP, takes advantage of the victim’s location. If the person clicking a link in a phishing lure or email is in the wrong geographical region, they will instead see other content instead. This can include fake down pages (e.g. 404 not found, 403 unauthorized, account suspended, etc.), the legitimate website of the brand being abused, advertising sites, adult sites, or even just a blank white screen. Though this behavior is meant to seem legitimate, anti-phishing experts often detect and use it as an indicator of hidden content, the accessing of it requires a bit more finesse.
Below is an example of a webpage we encountered while investigating an attack targeting a Canadian company. When attempting to access a phishing URL from the United States, we were directed to this Account Suspended page. At first glance, it looked as though the hosting provider had already taken this attack offline. However, when attempting to access the same attack while simulating a Canadian location, the phishing website resolved and revealed that the offline page was fake.
Adding this sort of control to a phishing website ensures that only a select few will be able to quickly access the fraudulent site and that most others will simply see a benign page and move along.
What non-targets see when accessing the phishing URL.
What the target is intended to see.
Getting Around Geoblocking
When a threat actor attempts to lock in their phishing sites by region, those outside of the target area have a few options. These all involve changing connection settings within the user’s computer so that it appears to come from somewhere other than its physical location. It is, of course, necessary to know the intended target region first, otherwise each attempt to access is a shot in the dark.
The most common approach is to use a VPN or a proxy, which spoofs the user’s IP address to appear to come from a specified region. VPNs have the added benefit of encrypting all user traffic, so they are a go-to option for those concerned with privacy. Most security professionals already have access to some form of VPN or proxy, which allows them to simply select the area targeted by an attack and make their computer look like a potential victim.
Another method for circumventing geoblocking is onion routing, the most common form of which can be found in the Tor network. This process is best expressed by The Tor Project themselves:
“The goal of onion routing was to have a way to use the internet with as much privacy as possible, and the idea was to route traffic through multiple servers and encrypt it each step of the way.”
This approach is so effective at masking a user’s actual identity (including location) that it is often used by criminals to access the dark web, where they can safely engage in illicit activity. Security professionals, however, use the Tor network to protect themselves as they access dangerous content, including phishing websites.
Additionally, some services such as SmartDNS offer DNS spoofing. This is another way to make a user appear to come from a certain region. This approach has the advantage of speed, as it only attempts to spoof DNS requests. But it is not used as commonly as VPNs or conventional proxies, as it does not spoof the user’s IP, and it does not encrypt any traffic.
Why Threat Actors Use Blocking Techniques
At first glance, it can seem counterintuitive for an attacker to limit the scope of an attack. From the perspective of the threat actor, we might suppose that the more opportunities to steal credentials, the better. However, if we approach phishing as a business venture, an investment with costs and potential benefits, limiting the scope and blocking access makes sense.
For starters, there is always a cost involved with setting up a phish. This can be minimal, with certain sites offering to host content for free; all the attacker needs is to invest either a small amount of time setting up a couple of basic phishing pages, or spend money on a phish kit, a package containing the whole phishing site.
At times, though, an attacker may choose to spend a few hundred dollars for a look-a-like domain, hosting with greater availability, and a complex phish kit with multiple layers of input validation and baked-in blocking techniques. This greater cost is justified by the prospect of a greater return, and PhishLabs often sees these attacks targeting a small set of highly-lucrative targets. By limiting an attack to such a small surface, a threat actor can ensure that the vast majority of a phishing site’s views come from bonafide targets.
In either case - whether the investment is small or large, it is in the threat actor’s best interest that the attack remains active long enough to provide a return on this investment. And if only those targeted by the attack are able to access it, this makes it much more difficult for security professionals to detect and report it to the responsible organizations.
Article Link: The Leader in Digital Risk Protection | Intelligence & Mitigation