Evasion techniques are methods attackers deploy to extend the life of phishing campaigns. The longer a threat is active, the more opportunity it has to claim victims.
Attackers have two objectives when applying evasion techniques:
- Defeat automated scanning technologies designed to quickly shut down or prevent attacks from going live.
- Increase the time, cost, and complexity required for security researchers to analyze or disrupt a campaign.
There are two types of evasion and numerous subsequent techniques. In this post, we take a look at active evasion techniques restricting non-targets by location.
Active vs Passive
There are two types of evasion: passive and active. Passive evasion occurs when an attacker restricts awareness that a malicious resource even exists, so the user is completely oblivious to the attack. Active evasion is any method an attacker uses to prevent people other than their intended target from becoming aware of or interacting with a threat. Only the victim is privy to the malicious content, while others would be unaware or think it is a false positive.
Attackers use different methods to distinguish between targets and non-targets. With active evasion, the intended target will be directed to the malicious content/phishing page. Non-targets will be redirected to a benign location like Google, ads, or even the actual intended website. There are three techniques of active evasion: restricting by location, device, and interaction.
Restricting By Location
One technique of active evasion classifies targets versus non-targets based on where incoming traffic is coming from: restricting by location. IP blacklisting, geoblocking by IP, and residential vs data center are three ways of restricting by location.
IP Blacklisting
IP Blacklisting is the most basic method of restricting by location. Attackers gather or purchase targeted lists of IP addresses and block IPs from all others. For example, they may only want IP addresses of members of a certain bank or organization, and will block everyone else.
Geoblocking by IP
Another type of restricting by location is Geoblocking by IP. The most common geoblocking method is to restrict access by country. For example, a cybercriminal may impersonate an organization local to a specific region and block IPs from locations outside of their target zone. More advanced or targeted attacks may use heavier restrictions such as identifying IP addresses used by an organization’s office space.
Residential vs Data Center Traffic
The third type of restricting by location is distinguishing between residential and data center traffic. When attacking residential targets, cybercriminals will block IPs coming from a data center. When attacking a business, vice versa.
With so many businesses now allowing employees to work from home, this can be tricky for organizations who once thought they were safe behind the company firewalls. Residential traffic/users are typically easier targets.
Understanding the different tactics attackers deploy is the first step. Knowing how to spot evasion techniques will reduce the chances of becoming a victim. To learn more about evasion techniques, watch our webinar: What Threat Actors Don’t Want You to Know: Active Evasion Techniques.
Additional Resources: