Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Email Security

Evasive Malware, Meet Evasive Phishing

In a previous column, I wrote about how evasive malware has become commoditized and described how the techniques being used in any given piece of malware had grown in number and sophistication—the layering of multiple techniques being its own form of sophistication.

In a previous column, I wrote about how evasive malware has become commoditized and described how the techniques being used in any given piece of malware had grown in number and sophistication—the layering of multiple techniques being its own form of sophistication. At the time, we had been digging around in our sandbox array and found that 98 percent of malware sent for analysis was using at least one evasive technique, and one-third of malwares were using a combination of six or more detection evasion techniques. Then there are malwares like Cerber ransomware, which is very sandbox aware and runs 28 evasive processes or, if you like, uses 28 techniques intended to confound security systems and thus evade detection.

Phishing following the malware curve

I have spent most of my career in the malware world, so I’ve got a well-developed sense of the detection cat-and-mouse game between security professionals and malware developers—recognizing that for some the preferred metaphor is an arms race. Given the extensive and rich history of the evolution of malware, “evasive malware” entered the lexicon long ago and is an often-used term of art. Malware’s roots pre-date the Web, with early experiments playing “gotcha” with fork bombs and trojans infecting mainframes. In the 1980s, with the advent of PCs, we saw the first worms, self-encrypting viruses, and even the first ransomware—distributed on floppy disks. We come to the present, in which I keep a catalogue of evasive malware tactics divided into 26 categories, and talk frequently about how malware has entered a “hyper-evasive” phase.

“Evasive phishing,” however, is not a term much heard. When I do a search on the phrase, I get eight times the results for evasive malware that I do for evasive phishing. But my expectation is that we all will—and need to—start talking a lot more about “evasive phishing” than in the past. To be clear, when I use the term evasive phishing, I’m not talking about clever phishing pitches, well-designed emails or sites, or any social engineering techniques to mislead the user. I’m talking on a more “product strategy” and technical level about techniques to hide phishing infrastructure—principally web sites—from security systems and phishing URL crawlers.

Phishing kits exemplify the trend

Without even getting into the (very important) topic of the growth of “phishing-as-a-service,” we can see evasive tactics in the more straightforward and very large phishing kit sub-market—these kits are pre-packaged spoofed web pages downloaded as a ZIP file for a fee usually in the $50 range. 

Tactics to evade or make detection more difficult can include things like encrypting the whole phishing site with AES encryption, or encoding the title of the website in an effort to fool phishing crawlers. Basic tactics in use fall into two general categories: 1) blocking security systems from evaluating and seeing the true nature of the phishing site, by looking up the IP or domain from which the user is connecting and blocking (or redirecting) accesses originating from certain IP addresses or ranges; and blocking access from security bots or crawlers or other user agents that are searching for phishing sites, like the Googlebot, Bingbot, or Yahoo! Slurp.

Advertisement. Scroll to continue reading.

87% using evasive techniques

We just did a bit of focused work around phishing kits, where we monitored the use of files or code which makes a judgment about the user, as I was explaining above, then decides whether to actually show the phishing site. From a sample of 2,025 sites generated by various kits, it turns out that 87 percent of them use at least one type of basic evasive technique. The most common method for implementing this is use of a .htaccess file in the kit, which is a PHP script with these blocking or redirect functions. 

By the way, we also learned that many specialize in a single brand, like spoofing the Office 365 log-in page, or imitating Paypal or Dropbox pages. But many are multi-brand kits—for the money the cybercriminal gets the option of mounting phishing campaigns targeting any of many brands.

There’s a reason why surveys of IT and security admins this year keep pointing to phishing as the top source of breaches and, unsurprisingly, their top security concern. That will only change as security systems get up the curve on combating evasive phishing, which begins with a broader recognition of the changed nature of the game. Evasive malware, move over and make room for evasive phishing.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...