Phishing JavaScript Obfuscation Techniques Soars
In our previous blogs, first where we explained JavaScript Obfuscation techniques and introduced a detailed overview on how JavaScript is being used to obfuscate page content to make phishing attacks and other web scams as evasive as possible; followed by one where we took a deep dive to examine double JavaScript obfuscation techniques, presenting a tale of an obfuscated scam seen in the wild and showing how the same phishing campaign is using numerous obfuscation techniques in an attempt to remain hidden.
Today, using Akamai's visibility into phishing attacks - including an analysis of more than 10,000 URLs using JavaScript obfuscation techniques over 10 months - we'll follow the observed trends of websites using JavaScript obfuscation techniques in the wild in order to evade detection and fly under the radar.
According to our research, we see a continued increase in the usage of obfuscation techniques in phishing websites over the 10-month period between November 2019 until August 2020, representing an increase of more than 70% over that time frame, seen in Figure 1,.
Fig. 1: Number of phishing URLs using obfuscation techniques over time
The research focused on five obfuscation techniques that were explained in our previous blog. There was a significant increase in four of the monitored techniques between November 2019, and August 2020. The techniques that increased the most during the recorded period are content escaping obfuscation techniques (72%), Base64 encoding (800%), hex encoding variable name obfuscation (86%), and eval execution obfuscation (400%).
A notable increase can be seen starting in May of 2020. This can be explained as a byproduct of COVID-19 pandemic, as fear and uncertainty surrounding COVID-19 were abused and leveraged by threat actors in an effort to increase victim engagement during phishing campaigns.
Looking into the brands being abused (Figure 2), we can see that 355 brands were equally distributed and abused across the three most impacted industries - high tech, financial and social media. Considering the brands and distribution, as well as the techniques and phishing tool variants, we were able to determine that the usage of JavaScript obfuscation is part of a widely adopted phenomenon of obfuscating web-based scams.
Fig. 2: Percentage of phishing URLs using obfuscation techniques by targeted industry
We anticipate the use of JavaScript obfuscation techniques will continue to be adopted, as those techniques give the upper hand to threat actors and enable phishing and scamming websites to become evasive and undetected, thereby increasing these scams' efficiency.
Moreover, we believe that, as the human factor is still considered the weakest link in the chain, educating and creating awareness of such scams and evasion techniques should guide us as we move forward. In addition, we believe that security controls need to be able to detect and eliminate such evasive techniques.
