Scammers do whatever they can to extract sensitive data from targets and unsuspecting victims. But cybersecurity companies are also getting smarter.
As data thieves, the malicious actors know that winning won't be easy if they face cybersecurity companies and their technologies heads on. This is why scammers are playing things safe, by simply avoiding confrontation. And this time, they are using JavaScript to make this happen.
Scammers usually extract data through phishing sites, or websites that are specifically design with fake login page. To scam people, the scammers will spread and share the links to those phishing sites to emails and other medium.
After all is done, the scammers will wait in the darkness of the web, waiting for unsuspecting visitors to come.
And when someone fell for the trick, they phishing site will gather anything that is typed inside the fields. This data will then be sent to the malicious authors.
Cybersecurity companies are always on the move, searching for phishing sites. Usually, these companies use virtual machines or headless device to determine if a site is used for phishing.
But scammers are found to use JavaScript, in order to evade the detections.
Phishing sites can bypass detections, using JavaScript that is placed inside the head of the website, and runs before the body part of the web page is loaded.
The method was first discovered by MalwareHunterTeam, whose team found a malicious JavaScript script that checks for visitor's screen's width and height and uses the WebGL API to query the rendering engine used by the browser.
When performing the checks, the JavaScript will attempt to see if a visitor who is about to visit its page uses a software renderer, such as SwiftShader, LLVMpipe, or VirtualBox. Software renderers commonly indicate that the browser is running within a virtual machine.
The script also checks if the visitor's screen has a color depth of less than 24-bits, or if the screen height and width are less than 100 pixels.
If the JavaScript detects that a browser is running under a virtual machine or without an attached monitor, it will conclude that the visitor who is about to visit its page is trying to analyze its page.
The JavaScript will then stop the web page from displaying the content on its body, in order to show a blank page.
This way, detection attempts by cybersecurity companies won't be able to know whether the page is a phishing page, or not, simply because the page does not load.
Here is a random live example of a kit with those checks deployed: https://book-redelivery-royalmail[.]com/
— MalwareHunterTeam (@malwrhunterteam) March 15, 2021
The opposite happens when normal visitors visit the web page.
When regular users of the web who use a regular hardware rendering engine are attempting to view the web page through a standard screen size, the JavaScript won't stop the website's body from loading, and will allow the phishing landing page to display.
According to the researcher, as reported by BleepingComputer, the code inside the JavaScript appears to have been taken from a 2019 article describing how JavaScript can be used to detect virtual machines.
The method was meant for "defenders and offensive security professions."
But it seems that the methods being used by researchers and security companies to harden their machines to evade detection by malware, is also being used by scammers to harden their malicious deeds.