Recent studies show that over 90% of all cyberattacks begin with phishing. And with an estimated 3.4 billion phishing e-mails sent worldwide every day, phishing remains a lucrative business for cybercriminals.
On the other hand, there are security systems that continuously scan the internet for phishing websites. By analyzing URLs and content, these manipulated sites are detected, and internet users are warned by programs such as Microsoft Defender when they visit them.
To prevent the phishing sites created by attackers from being found and detected by security systems, criminals use a cloaking technique to prevent detection.
How Cloaking Works
Security technologies are constantly evolving, but attackers always manage to keep pace and, in some cases, stay one step ahead. One of the latest developments in phishing is the use of cloaking or concealment strategies. The aim here is to ensure that only the actual victims see a manipulated website.
Depending on the visitor, a phishing website created by the attackers automatically and dynamically adapts their behavior or content. This conceals malicious content from researchers and security system scanners, while the manipulated version of a website is only displayed to the actual victims of this scam. This manipulated website is often a 1:1 copy of the original site but is designed to trick potential victims into revealing confidential data such as passwords, e-mail addresses, usernames, bank details, or address information.
Attackers use various techniques to achieve their goal. They filter traffic based on factors such as IP address (geolocation), browser fingerprint, user agent filters, or other mechanisms.
IP-based redirection
With IP-based redirection, the IP address of the website visitor is analyzed, and based on this analysis, a decision is made as to whether the visitor is a security-relevant source, such as a security tool, or a potential victim.
To do this, criminals use special “blacklists.” These extensive lists contain cybersecurity companies or automated scanners (bots) with the corresponding IP ranges. If access from one of these sources is detected, the visitor is redirected directly to a harmless standard page or to an error page such as “404 (page) not found.” This is to prevent the phishing site from being detected by analysis.
In addition to blacklists, criminals also use targeted “whitelisting” to display malicious content only to users who belong to certain organizations or whose IP addresses correspond to predefined geographical areas.
A real-world example was the domain amelinotresante.info, which posed as ameli.fr, the official portal of the French health insurance system, for the purpose of collecting data and was observed at the end of 2024, was one such example of IP-based redirection. Website visitors with an IP range outside France saw a “404 Not Found” error page, while visitors whose IP range indicated France were shown the phishing website prepared by the attackers.
Browser fingerprinting and user agent filter
User agent filters can be used to tailor content to a specific device or browser. This means that users who use widely used browsers such as Chrome, Safari, or Edge will see the manipulated pages. Nevertheless, access via headless browsers—web browsers that operate without a graphical user interface and are frequently employed in the automated detection of phishing websites—is restricted.
Attackers can also use user agent filters to ensure that the phishing pages they create remain undetected and are not found by security crawlers that rely on easily identifiable or outdated user agent strings.
This technique is often used in parcel delivery fraud in the form of phishing SMS messages. By analyzing the user agent, it is possible to identify which device is being used and target only smartphone users to lure them to the fake sites. Users of other devices, such as laptops, are redirected to harmless content or error pages.
CAPTCHA mechanisms
Another way to distinguish between human visitors and automated scanners is to incorporate CAPTCHA tests.
These preliminary tests can detect automated systems, as they are often unable to solve CAPTCHAs. The actual content therefore remains hidden from these systems, preventing the fake page from being discovered.
CAPTCHA tests also serve to verify human interaction, as solving a CAPTCHA can be considered an indication of a real user. This makes it easy to display malicious content, while the automated scanner sees a harmless page.
Since CAPTCHAs are now relatively widespread and can be found on many legitimate websites, they are familiar to many internet users and do not arouse much suspicion. This increases the credibility and thus the probability of success of a phishing website that also relies on CAPTCHAs.
The most common CAPTCHA services are also easy to integrate, making them inexpensive and easy to implement for attackers. As a result, the number of disguised phishing websites using CAPTCHAs increased nearly tenfold between January and June 2023.
JavaScript-based mechanisms
Before some phishing sites display malicious content, they analyze the user’s browser environment using JavaScript-based testing mechanisms. This checks the device type, screen resolution, and user interactions. If, for example, a lack of user activity is detected because there are no mouse movements or clicks, it must be assumed that this is a bot (automated security scanner). In this case, the phishing website remains empty or displays harmless content so as not to be detected.
These verification mechanisms may additionally be employed to identify users’ time zones and language preferences, thereby enabling the customization of content and the restriction of access from regions deemed irrelevant.
How Can Cloaking-Based Phishing Attacks be Prevented?
As mentioned in the previous sections, cybercriminals use a whole range of techniques to avoid detection. Conventional detection methods reach their limits when it comes to disguised phishing attacks. Companies should therefore rely on multi-layered and adaptive security strategies, as attackers use cloaking to specifically circumvent classic protection mechanisms.
To ward off disguised phishing attacks, it is helpful to rely on a combination of AI-supported analysis and advanced threat intelligence. This involves identifying and analyzing cyber threats, looking at the big picture, identifying problems, and developing specific solutions.
Modern security platforms that rely on behavior-based detection and machine learning can monitor domains and content over a longer period of time. This allows them to identify deviations or inconsistent patterns that indicate potentially malicious websites. These platforms can also detect unusual redirects or dynamic content changes that are typical of disguised phishing sites. In addition, suspicious or newly registered domains are often associated with phishing websites. Companies should therefore implement DNS filters as an additional measure to proactively block these domains.
In addition to technical protective measures, employee awareness and training should also play a central role. Ultimately, it is people who disclose their data on a phishing site or allow attackers into the system by clicking on a suspicious link. And since no one is infallible, the consistent introduction of multi-factor authentication (MFA) is another important step toward robust defense. This can significantly reduce the risk of successful data theft if an employee does fall for a phishing attack.
Another Variant: Cloaking as an SEO Technique
Cloaking is a technique that has been used in search engine optimization (SEO) for a long time (long before cloaking was used in phishing). The aim is to improve the ranking of websites in search results. With this manipulative technique, search engine crawlers (such as Googlebot, Bingbot, etc.) and users are shown different content under the same URL. During indexing, the crawler sees high-quality text, while the user sees something completely different.
This technique poses a high risk for users, as it creates misleading and deceptive experiences. In addition, this practice violates the quality guidelines of search engine operators, and if a crawler detects a cloaking violation, the affected website will be removed from the search index.
Summary: Cloaking & Phishing
Cloaking in phishing is a sophisticated method used by cybercriminals to obtain confidential and personal data as inconspicuously as possible. Attackers use various techniques to hide their phishing websites from security tools and researchers – and only display them to people who have been selected as potential victims.
Companies should counter this type of attack with a combination of technical protective measures, such as security platforms or DNS filters. It is equally important to invest in targeted training programs to raise employee awareness of such threats.
As with many other cyberattacks, an effective security strategy relies on a combination of technology and human vigilance. This holistic approach ensures that even cleverly disguised phishing attacks are detected early and blocked before they can cause damage.