JavaScript Obfuscation on Phishing Pages Continues to Rise by 70%

javascript phishing pagesThe use of JavaScript to obfuscate phishing pages increased by 70% in the ten months between November 2019 and August 2020, according to researchers at Akamai. Attackers use this technique to make it harder for security technology to detect their phishing sites. The vast majority of this activity involves content escaping (or URL encoding), but other less common techniques have skyrocketed.

“The research focused on five obfuscation techniques that were explained in our previous blog,” Akamai says. “There was a significant increase in four of the monitored techniques between November 2019, and August 2020. The techniques that increased the most during the recorded period are content escaping obfuscation techniques (72%), Base64 encoding (800%), hex encoding variable name obfuscation (86%), and eval execution obfuscation (400%).”

The researchers note that this activity began rising dramatically around the beginning of May 2020, which Akamai believes was due to an increase in phishing activity due to the pandemic.

Most of the impersonated brands were in three sectors: high technology (29.2%), financial (21.4%), and social media (20.6%). Phishing scams impersonating media, e-commerce, and dating companies were also common.

Akamai believes these techniques will grow more common as attackers try to stay ahead of the security industry.

“We anticipate the use of JavaScript obfuscation techniques will continue to be adopted, as those techniques give the upper hand to threat actors and enable phishing and scamming websites to become evasive and undetected, thereby increasing these scams' efficiency,” the researchers write. “Moreover, we believe that, as the human factor is still considered the weakest link in the chain, educating and creating awareness of such scams and evasion techniques should guide us as we move forward. In addition, we believe that security controls need to be able to detect and eliminate such evasive techniques.”

New-school security awareness training can enable your employees to thwart the phishing attacks that don’t get blocked by technical solutions.

Akamai has the story.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Topics: Phishing

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews