Threat Protection Pro: Defending against cloaking techniques
6 min read
Cloaking is a dangerous technique that scammers use to direct you to phishing websites. How can you know you’re being scammed if both the web page and its URL look legit? As the name suggests, cloaking is designed to be undetectable, so what can you do about it? Let’s go through the main cloaking techniques and look at how Threat Protection Pro can help you avoid these hidden threats.
Table of Contents
Table of Contents
What is cloaking?
Cloaking is a black hat search engine optimization (SEO) technique to show search engines and human users different versions of the same website. Cloaking tricks search engines into believing that the website content is relevant to the user’s query, when in reality it may be superficial, tangential, or even actively malicious.
In the broader context of cybersecurity, cloaking refers to a range of techniques that cyberattackers use to disguise harmful activities and target specific internet users. With the help of cloaking technologies, the targeted users are directed to scam websites.
Cloaking helps scammers evade detection by search engines and security tools, allowing them to show safe content to these entities while presenting malicious content to users. But how did a seemingly innocent SEO practice turn into a malicious one used by online criminals?
Evolution of cloaking techniques
In the early days of the internet, cloaking was relatively simple — it used CSS styling, HTML frames, and server-side redirects to hide content from search engines while showing different content to users. Website owners primarily used cloaking to protect their content from web scraping.
However, cloaking is now recognized as a “black hat” SEO technique because it violates search engine guidelines and unfairly manipulates the rankings. In addition to SEO manipulation, cybercriminals often use cloaking in phishing campaigns, for delivering malware, and to harvest user credentials.
Scammers use cloaking to target specific users by showing different web page versions depending on their region, language preferences, browser/device, or the site they’re coming from. Cloaking is nearly impossible to spot for the user, because you’re taken to a fake website that mimics a legitimate one and see a fake URL that looks very similar to a real one. This combination of a fake webpage and URL works to convince you that you are on the legitimate site so that you enter your credentials or personal information, which the cybercriminals then steal.
Hackers apply cloaking technology to hide malicious content from web crawlers or bots by using banned servers and networks. This way, they avoid detection by security systems but keep their harmful content visible to potential victims.
Understanding cloaking techniques
Scammers use cloaking in various ways from implementing IP blocklist redirects and user agent redirects to using flash-based cloaking.
IP blocklist redirect
An IP blocklist redirect is a cloaking technique in which a website can change what content users see based on their IP address. For example, it might show different content to users from different countries or block access entirely if a user is accessing the website from a restricted region.
For example, if a criminal uses the IP blocklist redirect to target a phishing or malware campaign at US users, and you visit their phishing website from a European IP address, you might be redirected to the legitimate website being mimicked, or the page might not load at all.
User-agent cloaking
User-agent cloaking involves showing different web page versions based on the user’s browser or device.
When you access a webpage, your browser sends information called the “user-agent string” to the web server. This string reveals details such as your browser type, version, operating system, and software vendor. Websites use this information to identify your software environment so that they can adjust and optimize the content you see. This process helps to ensure compatibility with different browsers and operating systems, but it may also be used to hide certain features or deliver tailored experiences based on the detected user-agent.
If a criminal uses user-agent cloaking and detects the request as coming from a known search engine crawler, they redirect the crawler to the legitimate web page. But if the criminal identifies the request as coming from a real person, they will check if the person’s operating system and browser type match the targets of their phishing or malware campaign. If they match, the user will see a fake web page designed to collect credentials and personal information or prompt a file download. If the operating system or browser type does not align with the targeted criteria, the user will be redirected to the legitimate web page.
Accept-language cloaking
Accept-language cloaking is a technique that uses an HTTPS accept-language header to determine which version of the website to present to you. In other words, accept-language cloaking allows websites to show different content based on the language preferences set in your web browser.
For example, if your browser requests content in French, the website might show you a page in French, while users with their browser set to English will see the page in English. Language preferences in web browsers help customize content for different language speakers or target specific audiences.
Let’s say a criminal uses accept-language cloaking to target users whose accept-language is set to French. If the criminal detects that the requestor’s preferred language is English, the webpage will be shown in English with no malicious content, or the user might be redirected to a legitimate website. However, if the requestor’s accept-language is set to French, the criminal makes sure the user sees malicious content.
Referrer cloaking
Referrer cloaking is a technique that hides or changes the information about the webpage you visited before clicking a link, so the website you visit next won’t know where you came from. This method can show different versions of a webpage based on the user’s referrer string.
A referrer string is part of the HTTP request sent by your browser when you click on a link. It tells the new website the URL of the page you came from. This information helps websites understand where their traffic is coming from, track referrals, and improve user experience. For example, if you click a link in “example.com” that takes you to “another-site.com,” the referrer string tells “another-site.com” that you came from “example.com.”
But how does referrer cloaking play into phishing attacks? A cybercriminal can use the information coming from the referrer string to decide what content to show the user, based on the string.
Let’s say the referrer string shows the user came from a reputable search engine (like Google, Yahoo, or Bing), the criminal might show safe, non-malicious content to avoid detection (showing malicious content to users coming from search engines could draw attention and lead to the phishing site being flagged or removed). However, if the user clicks a link from a suspicious source (like a phishing email or smishing text) or directly types the URL into the browser, the criminal can serve them malicious content, such as a fake webpage designed to steal information.
Threat Protection Pro: Cloaking detection and blocking
In the current cyber threat landscape, our data science and threat intelligence teams have identified a significant rise in sophisticated phishing and malware campaigns that use cloaking techniques to hide themselves from search engine crawlers, bots, and threat detection systems.
Every day, our Threat Protection Pro blocks from several to several hundred phishing websites that use cloaking techniques:
| Time period | Number of blocked pages that use cloaking techniques |
|---|---|
| 2024-01-22/2024-01-28 | 47 |
| 2024-01-29/2024-02-04 | 163 |
| 2024-02-05/2024-02-11 | 224 |
| 2024-02-12/2024-02-18 | 2,366 |
| 2024-02-19/2024-02-25 | 347 |
| 2024-02-26/2024-03-03 | 124 |
| 2024-03-04/2024-03-10 | 167 |
| 2024-03-11/2024-03-17 | 135 |
| 2024-03-18/2024-03-24 | 115 |
| 2024-03-25/2024-03-31 | 129 |
| 2024-04-01/2024-04-07 | 151 |
| 2024-04-08/2024-04-14 | 297 |
| 2024-04-15/2024-04-21 | 8 |
In just under three months (from 2024-01-22 till 2024-04-15), our upgraded cybersecurity solution blocked a total of 4,273 phishing web pages that utilize cloaking techniques.
Cloaking examples
Cloaking is designed so that neither the user nor security software can detect it. It can be near impossible to identify cloaking unless you have advanced tools at your disposal, such as Threat Protection Pro.
With cloaking in action, you typically see a fake website and a fake URL. For example you could click a link and be taken to a website that looks like Google, but its URL is “https://g00gle.com.”
Our threat protection team has successfully uncloaked some URLs for you to see. But keep in mind that in reality you would see a fake URL, closely resembling a legitimate one.
In this cloaking example, the uncloaked URL is “http://renner.000.pe/?i=1,” while the displayed web page looks like Google’s main page:
Here the uncloaked URL of the phishing website is “http://renner.000.pe/?i=1,” but on your screen you see the fake login web page of a financial services provider:
How to protect yourself from cloaking
Recognizing a phishing website that uses cloaking might be impossible, especially if you’re not on the lookout for anything scammy. And even if you are great at noticing phishing attempts, some scams are so elaborate that you’ll still need a security tool to spot them.
By subscribing to NordVPN’s more comprehensive plans and downloading the NordVPN app, you get our Threat Protection Pro as part of the package. It will block malicious websites, including the ones that use cloaking technology. On top of that, Threat Protection Pro will stop web trackers and remove annoying ads for a safer and smoother browsing experience.