The phishing landscape is constantly evolving. Over the years, it has evolved into a more scalable threat, with an overwhelming amount of campaigns being launched daily. Phishing also changed when criminals started adding more capabilities and features to their toolkits, which make the phishing websites long lived and difficult to detect.
Our previous publications show a variety of techniques being used by criminals to try to evade detection. Those techniques include blacklisting unwanted visitors such as search engines and security scanners and random generation of phishing web page content and URLs. The point behind all of this evasion development is to keep the phishing attack hidden. The longer the scam lives, the more effective it is.
7 Pieces of Obfuscated Code
Fig. 1: The complete phishing page before before being rendered
The second payload contains both encoded chunks of the page content and references one of the values in the first payload. This referencing makes the process of understanding the code functionality, and debugging it, harder to do.
Anonymous code being executed, and more specifically code that is not essential to the rendering or functionality of the page, is considered as dead code. It was added to make it harder for the phishing source code to be understood and debugged.
Retrieve Payload Data
Finally, the page being rendered is a standard fake forgotten password phishing page using a well-known brand's familiarity. The sole purpose of this page is to steal victim credentials.
The examples in this blog are just the tip of the iceberg, as more complex techniques, including huge chunks of embedded dead code and anti-debugging, are constantly being used in the wild.
The ability to analyze, encrypt, and remove the obfuscation on such pages is not impossible but requires time and resources. The task is compounded, however, by the overwhelming amount of phishing and Magecart campaigns being introduced daily, resulting in many of these scams slipping under the radar.