Every day our teams analyze millions of phish across the web, emails, social media, mobile, and most other common digital vectors. Many phishing sites are easy to review and analyze. However, some threat actors that we track take steps to hide their attacks from people other than their intended victims.
They do this as a defense mechanism to make it harder to analyze their techniques and keep their campaigns active for longer periods of time.
In a recent campaign, our Security Operations Center discovered a new and unique evasion technique. To date, this is one of the more sophisticated blocking techniques we have observed. It abuses an experimental feature available in select web browsers: device motion and orientation events. More specifically, the phishing attack abuses the gyroscope and accelerometers that have been built into smartphones for more than a decade. The most common uses of these sensors can be seen in those 3D images you see on Facebook, augmented reality street view on Google Maps, or even on Pokémon Go.
While these examples are apps, the same sensors can be activated on certain mobile browsers. By checking for the presence and state of these controls, a site can determine whether it is on a mobile device and behave differently in response.
Why Threat Actors Use Blocking
Many phishing attacks rely on volume. Besides BEC attacks or other highly-targeted phishing approaches, the more lures a threat actor can distribute, the greater the chances they get a return on their efforts. Security teams and email security technology will swat many of these away, but along the way, someone will have fallen for the lure. This is not the case for BEC attacks and other highly-targeted attacks, which is the case for this particular campaign.
Attackers use blocking and evasion techniques to decrease the likelihood of being quickly detected by response organizations, and therefore increase the longevity of their attack. Additionally, attackers will leverage similar countermeasures to protect their tactics and techniques from being easily observed by rivals or security organizations. This is why they were determined to prevent analysts from detecting the attack. PhishLabs leverages advanced detection techniques powered by human intelligence in order to identify and defeat these countermeasures.
Mobile Sensor-Based Obfuscation Technique
Our team first detected this attack after analyzing lures, that were sent via text message, that attempt to impersonate a high-profile target within a financial. The messages use a typical social engineering technique to get their targets to click on a lookalike URL by claiming to have an important notice for the soon to be victim.
Functions upon functions, each with indecipherable names and arguments, were calling out to each other. In these cases, obfuscation is the threat actors’ passive attempt to thwart casual onlookers. A quick look reveals a Gordian knot that isn’t worth the headache and most move along. With a tug here and a prod there, however, the mechanics were gradually revealed.
“Geolocation” … “setTimeout” … “addEventListener” … “DeviceOrientationEvent”
With the code partially deobfuscated, we began investigating each element. This led to the discovery that the threat actor was attempting to guarantee the victim is using a mobile device by using calls to the gyroscope and accelerometer. The next step was to give the phish a shot with a burner cell phone - nothing.
Sometimes attackers leverage multiple layers of countermeasures. So, we loaded the phone with a low-profile, region-specific proxy and tried again - Voila! The phishing content presented itself as if we were the intended target. With the content available, our SOC team was then able to properly action the threat like any other phishing or SMiShing attack.
Defanging the Blocking Technique
Just as the threat actor abuses specific features within mobile web browsers, analysts are able to make use of developer tools to thwart the blocking attempt. To defang the blocking technique, security researchers need to simulate the data produced by a smartphone’s accelerometer or gyroscope. This can be done with browser-based developer tools.
Once the threat has been unblocked, it can be analyzed like any other phishing threat. Our Digital Risk Protection team was able to defang said threat, have the phishing page taken down, and protect the financial institution that was being targeted.