SlashNext has found anti-bot services helping cybercriminals bypass Google’s Red Page warnings for phishing. It has named Otus Anti-Bot, Remove Red, and Limitless Anti-Bot as some of the services currently available.
The company describes this as the “latest evolution in the ongoing cat-and-mouse game between cybercriminals and security measures.” It warns that cybersecurity teams will no longer be able to rely on Google’s Red Pages as a first line of defence. The services will also expose more users to increased malware attacks launched from malicious websites.
What is the Google Red Page?
Google Red Pages are part of Google’s Safe Browsing project. It has been running for almost two decades and aims to warn users of its Chrome browser when the website they are about to visit is unsafe. It checks the page that the user is trying to access against a range of criteria. If it finds that site in its list of suspicious websites, the user gets a screen allowing them to return to where they were and report the site to Google.
According to SlashNext, Google’s success in detecting malicious sites significantly reduces the effectiveness of a phishing campaign. This represents a significant challenge for cybercriminals, especially for those using Phishing as a Service (PaaS) and other Malware as a Service (MaaS) platforms. Users of those platforms expect the platforms to provide solutions to Google.
A successful detection also means that the cybercriminals have to create new websites through which they can deploy their malware. That creates another problem for the cybercriminals. Security tools increasingly look at the age of a website and give it a lower score if it is new. As a result, cybercriminals often rely on a vast library of compromised and older sites that they can exploit.
To prevent site takeover, Google also warns site owners when it detects signs of malware or malicious activity on their site. That allows the site owner to carry out corrective action to remove anything that has been installed on their site by a cybercriminal.
Anti-Bots and how they work
Cybercriminals have reacted by creating anti-bot solutions. These are services that look to make it difficult for services such as Google’s Safe Browsing to detect and blacklist phishing pages. They detect things like security crawlers and seek to hide phishing pages from them. They also deliver a range of other capabilities.
Some of those capabilities highlighted by SlashNext are:
Bot Detection and IP Filtering: These examine the agent string of the bot and its IP address. With lists of common cybersecurity crawlers available on the Internet, it is a simple task to block crawlers.
Cloaking Techniques: This uses device fingerprinting in the same way that many security programs do to stop malicious access to their websites. The score that the device achieves will determine the content it is shown.
Geolocation-Based Targeting: This allows campaigns to be region-specific. Any traffic from outside the target region is blocked. SlashNext says that some anti-bot solutions drill down to the city to reduce the visibility of the phishing site to security solutions.
CAPTCHA and Challenges: The use of CAPTCHA or challenge pages filters out automated scanners. The scanners cannot solve the CAPTCHAs, unlike visitors to the website. Adding in a time delay that a visitor would accept tricks the bots into timing out.
Anti-Bot Services
SlashNext also listed three anti-bot services and what they claim to offer.
Otus Anti-Bot
Otus Anti-Bot offers behavioural analysis, challenge-response mechanisms, bot signature detection, and integration with threat intelligence feeds. It is simple to deploy and is up and running in a couple of minutes. It also allows the customer to apply settings once and replicate them across all pages.
IP and country-based whitelisting allows campaigns to control who can access the pages and provide a way to test campaigns.
Remove Red
Remove Red is a proactive solution. It enables cybercriminals to remove red page warnings and offers a temporary whitelist feature. This stops the domain from reappearing on Google’s red page for a few days after the initial removal.
It also monitors domains and uses Telegram or Discord to notify customers if their phishing sites are flagged again. It ensures customers can run campaigns for longer before they are detected and blocked.
Limitless Anti-Bot
Limitless Anti-Bot offers two levels of protection, standard and advanced. It claims that either level will lengthen the lifespan of phishing sites. This is done by adding a piece of code to the page, which focuses on prevention and detection. This is done through various tools, including AI and the ability to distinguish between real users and bots.
Enterprise Times: What does this mean?
The battle between security companies and cybercriminals is like a game of chess. Both sides are constantly looking for an edge over the other, and as one gains an advantage, the other moves to counter it. This exposure of anti-bot services is a perfect example of how cybercriminals find ways around security solutions.
Interestingly, there is something here that could also be adopted for commercial organisations. The current challenge for many sites is preventing scraping by commercial or AI companies. Adopting bot detection and IP filtering solutions would help data compliance teams protect information.
However, there would also have to be a way for security solutions not to see that approach as indicating something suspicious about the site. It is a perfect example of how security technology can be dual-use for good and bad.