Phishing attackers have been detected using JavaScript to check whether a victim is visiting the site from a virtual, or headless, machine in order to evade detection.
Headless devices are computers that are configured to work without a display or input devices. Cybersecurity teams use headless devices or virtual machines when they want to check if a website is used for phishing.
MalwareHunterTeam who first discovered this method, explains that to bypass detection, the malware uses JavaScript to check whether a browser is running under a virtual machine or without an attached monitor which may mean security researchers are conducting an analysis. If a headless device is detected, the malware displays a blank page instead of a phishing page.
The script checks the victim’s screen’s width and height and uses the WebGL API to query the rendering engine used by the browser, researchers explain.
When performing the checks, the script first tries to determine if the site uses a software renderer, such as SwiftShader, LLVMpipe, or VirtualBox. Finding sich tool can be an indication that the browser is running on a virtual machine. Then it checks if the screen has a color depth of less than 24-bits or height and width are less than 100 pixels, which could indicate the same.
The phishing page will show an empty page to the visitor if any of those conditions are met. Otherwise, the script will display the phishing landing page.
Researchers say attackers reuse the code presented in an article in 2019 which describes how JavaScript is used for detecting virtual machines.
Researchers and security companies in the malware field take special measures to avoid their virtual machines being detected by malware. It seems now phishing researchers will have to adopt similar tactics to be effective against phishing attacks.
