Headless devices are computers that are configured to work without a display or input devices. Cybersecurity teams use headless devices or virtual machines when they want to check if a website is used for phishing.
The script checks the victim’s screen’s width and height and uses the WebGL API to query the rendering engine used by the browser, researchers explain.
When performing the checks, the script first tries to determine if the site uses a software renderer, such as SwiftShader, LLVMpipe, or VirtualBox. Finding sich tool can be an indication that the browser is running on a virtual machine. Then it checks if the screen has a color depth of less than 24-bits or height and width are less than 100 pixels, which could indicate the same.
The phishing page will show an empty page to the visitor if any of those conditions are met. Otherwise, the script will display the phishing landing page.
Researchers and security companies in the malware field take special measures to avoid their virtual machines being detected by malware. It seems now phishing researchers will have to adopt similar tactics to be effective against phishing attacks.