Phishing
4
mins read

Beyond the Scanner: How Phishers Outsmart Traditional Detection Mechanisms

Phishing attacks are no longer just about fake emails and shady links—they’re evolving into stealth operations that outsmart even the most advanced detection tools. In this blog, CloudSEK’s Threat Research Team reveals how modern phishers use geo-fencing, user-agent filtering, and other evasive tactics to stay hidden from traditional scanners. Backed by real-world examples and expert insights, we also show how CloudSEK’s XVigil platform, powered by its Fake Domain Finder (FDF) module, is uncovering what others miss. Read on to learn how today’s phishing campaigns are engineered to deceive—and how to fight back.

Anshuman Das
March 26, 2025
Green Alert
Last Update posted on
March 26, 2025
Don't let your brand be used to trap users through fake URLs and phishing pages

Identify and counter malicious links and phishing attempts effectively with CloudSEK XVigil Fake URLs and Phishing module, bolstering your defense against cyber threats

Schedule a Demo
Table of Contents
Author(s)
No items found.

Executive Summary

CloudSEK’s Threat Research Team, with the help of the FDF module in XVigil, continuously monitors emerging threats that impersonate various brands and employ sophisticated techniques to evade detection by conventional URL scanning engines. Given the evolving tactics of cybercriminals, understanding their methods is crucial. Our Threat Research Team dedicates significant time to analyzing the patterns and strategies used by these threat actors.

In this blog, we will explore how phishers bypass conventional URL scanning techniques and remain active for extended periods before being detected and taken down.

Core Phishing Evasion Techniques

Geo-Fenced and IP Based Filerting

Geo-fenced and IP-based filtering exist due to certain cyber laws and digital content censorship or sometimes for security reasons. In this approach, censored websites serve content only to users accessing them from a whitelisted regional IP address space. On the other hand, the same geo-fencing and IP-based filtering techniques are also used by cybercriminals and phishers. Once any client-side interacts with geofenced phishing sites, the site first gathers information about the client’s IP location. If the IP does not match a country-specific IP address space, it might redirect to another legitimate-looking website (in most cases, google.com or bing.com) or to the legitimate website/service page that the phishing site is impersonating.

For example, the phishing kit in the above, targeting the Chase Wallet page, a banking institution based in the USA. The configuration file checks various parameters of the client-side of the victim/visitor. In the array section, it contains country names, indicating that the phishing page can only be accessed via IP addresses belonging to those countries; otherwise, it will redirect to bing.com. Now, imagine if URL scanners are not configured with a proxy or the proper IP address spaces. If they try to scan URLs hosting this phishing kit, they won’t be able to access them due to the geofencing restrictions.

Example of a phishing internal code which shows the country based access to a Chase Wallet Phishing Page

User-Agent Based Filtering

A User-Agent is an HTTP request header that provides information about the client(browser, OS, and device) making the requests. Using these information developers can optimize web content for specific browser devices, provide better user experiences and identify bots, crawlers or automated tools.

In recent days, phishers have focused on distributing most phishing links via SMS or social media messengers through direct messages (DMs), impersonating either individuals or popular organizations. To block unwanted traffic, they have filtered all incoming traffic to their hosted phishing pages, restricting access to mobile devices based on User-Agent detection.

Referer Header Based Filtering

Referer header is an HTTP request header that provides information about the URL from which a user navigated to the current request. It is mainly used for analytics & tracking, CSRF protection, content personalization and ad distribution etc. In recent years, we have observed that phishers have started using the Referer header after running Facebook and Instagram ads with phishing URLs. These phishing websites check the Referer header to determine whether a user is accessing the site from one of these social media platforms or directly. If the user accesses the phishing URL directly, the page will not display any content. The same applies to security scan engines—if the Referer header is missing, the phishing page remains undiscovered.

Parameter Based Filtering

Parameter-Based Filtering is a technique where some logic from a program file validates incoming URL parameters (query strings, tokens, or identifiers) before serving the actual phishing content. Phishers use this method to hide malicious pages from security scanners and ensure only targeted victims can access them. This technique helps prevent security scanners from directly inspecting the phishing content and ensure only victims receive the phishing page. This method helps phishing links stay active for a longer period of time unless they are reported by a victim.

Example of Parameterized URLs

https://phishingsite.com/login?session=abc123
https://phishingsite.com/?session=abc123

Recently, we have observed that, in addition to abusing parameterized phishing links, scammers are exploiting a classic URI feature that allows users to access password-protected websites by embedding credentials in the URL before the “@” symbol. This follows the format:

However, even if a website does not require authentication, entering any random credentials in this format still redirects and loads the site without any issue. Scammers are leveraging this behavior by crafting phishing URLs such as:

At first glance, victims may assume they are visiting realsite.com, but due to how browsers interpret the URL, they are actually redirected to fakesite.com—the phishing page. This technique exploits user trust and is proven to be highly deceptive, making it effective phishing campaigns and distributed via WhatsApp.

For example, the phishing domain mangokl[.]com is impersonating Mango, a Spanish fast-fashion retailer. An attacker could craft a deceptive phishing link like:https://shop.mango.com@mangokl[.]com

An unsuspecting user, seeing the familiar “shop.mango.com” at the beginning of the URL, might mistakenly trust the link and proceed to log in without hesitation—unaware that they are actually being redirected to the phishing site.

Phishing Webpage of impersonating Mango

Detecting such Phishing Sites at Scale

Traditional detection mechanisms often struggle with phishing attempts that employ evasion techniques like geo-fencing, user-agent filtering, referer header filtering, and parameter-based filtering. To overcome these challenges, CloudSEK's XVigil platform utilizes the Fake Domain Finder (FDF) module. This module is designed to bypass geo-fencing by using diverse IP addresses and proxies from various regions, ensuring access to restricted sites. It also emulates different user-agents to detect phishing attempts targeting specific devices. Additionally, the FDF module simulates various referer headers to uncover sites that rely on this filtering method. Furthermore, it analyzes parameterized URLs, including those with embedded credentials, to identify hidden phishing pages. The CloudSEK Threat Research Team continuously enhances the FDF module's capabilities, updating proxy lists, user-agent strings, referer headers, and URL parsing logic to stay ahead of evolving phishing tactics. This comprehensive approach allows CloudSEK to effectively detect sophisticated phishing campaigns that traditional scanners miss.

References

  • https://www.cloudsek.com/blog/unmasking-cyber-deception-the-rise-of-generic-phishing-pages-targeting-multiple-brands

Author

Anshuman Das

Threat Research @CloudSEK

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Phishing
February 4, 2020

FASTag Phishing Campaigns Flourish on Social Media

FASTag Phishing Campaigns Flourish on Social Media

Blog Image
Phishing
February 6, 2023

Spear Phishing Scams: The CEO Impersonation Fraud Threatening IT Companies

While investigating phishing cases of various customers, CloudSEKs’ analysts identified a spear phishing campaign targeting multiple corporations.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Phishing

4

min read

Beyond the Scanner: How Phishers Outsmart Traditional Detection Mechanisms

Phishing attacks are no longer just about fake emails and shady links—they’re evolving into stealth operations that outsmart even the most advanced detection tools. In this blog, CloudSEK’s Threat Research Team reveals how modern phishers use geo-fencing, user-agent filtering, and other evasive tactics to stay hidden from traditional scanners. Backed by real-world examples and expert insights, we also show how CloudSEK’s XVigil platform, powered by its Fake Domain Finder (FDF) module, is uncovering what others miss. Read on to learn how today’s phishing campaigns are engineered to deceive—and how to fight back.

Authors
Anshuman Das
Threat Research @CloudSEK
Co-Authors
No items found.

Executive Summary

CloudSEK’s Threat Research Team, with the help of the FDF module in XVigil, continuously monitors emerging threats that impersonate various brands and employ sophisticated techniques to evade detection by conventional URL scanning engines. Given the evolving tactics of cybercriminals, understanding their methods is crucial. Our Threat Research Team dedicates significant time to analyzing the patterns and strategies used by these threat actors.

In this blog, we will explore how phishers bypass conventional URL scanning techniques and remain active for extended periods before being detected and taken down.

Core Phishing Evasion Techniques

Geo-Fenced and IP Based Filerting

Geo-fenced and IP-based filtering exist due to certain cyber laws and digital content censorship or sometimes for security reasons. In this approach, censored websites serve content only to users accessing them from a whitelisted regional IP address space. On the other hand, the same geo-fencing and IP-based filtering techniques are also used by cybercriminals and phishers. Once any client-side interacts with geofenced phishing sites, the site first gathers information about the client’s IP location. If the IP does not match a country-specific IP address space, it might redirect to another legitimate-looking website (in most cases, google.com or bing.com) or to the legitimate website/service page that the phishing site is impersonating.

For example, the phishing kit in the above, targeting the Chase Wallet page, a banking institution based in the USA. The configuration file checks various parameters of the client-side of the victim/visitor. In the array section, it contains country names, indicating that the phishing page can only be accessed via IP addresses belonging to those countries; otherwise, it will redirect to bing.com. Now, imagine if URL scanners are not configured with a proxy or the proper IP address spaces. If they try to scan URLs hosting this phishing kit, they won’t be able to access them due to the geofencing restrictions.

Example of a phishing internal code which shows the country based access to a Chase Wallet Phishing Page

User-Agent Based Filtering

A User-Agent is an HTTP request header that provides information about the client(browser, OS, and device) making the requests. Using these information developers can optimize web content for specific browser devices, provide better user experiences and identify bots, crawlers or automated tools.

In recent days, phishers have focused on distributing most phishing links via SMS or social media messengers through direct messages (DMs), impersonating either individuals or popular organizations. To block unwanted traffic, they have filtered all incoming traffic to their hosted phishing pages, restricting access to mobile devices based on User-Agent detection.

Referer Header Based Filtering

Referer header is an HTTP request header that provides information about the URL from which a user navigated to the current request. It is mainly used for analytics & tracking, CSRF protection, content personalization and ad distribution etc. In recent years, we have observed that phishers have started using the Referer header after running Facebook and Instagram ads with phishing URLs. These phishing websites check the Referer header to determine whether a user is accessing the site from one of these social media platforms or directly. If the user accesses the phishing URL directly, the page will not display any content. The same applies to security scan engines—if the Referer header is missing, the phishing page remains undiscovered.

Parameter Based Filtering

Parameter-Based Filtering is a technique where some logic from a program file validates incoming URL parameters (query strings, tokens, or identifiers) before serving the actual phishing content. Phishers use this method to hide malicious pages from security scanners and ensure only targeted victims can access them. This technique helps prevent security scanners from directly inspecting the phishing content and ensure only victims receive the phishing page. This method helps phishing links stay active for a longer period of time unless they are reported by a victim.

Example of Parameterized URLs

https://phishingsite.com/login?session=abc123
https://phishingsite.com/?session=abc123

Recently, we have observed that, in addition to abusing parameterized phishing links, scammers are exploiting a classic URI feature that allows users to access password-protected websites by embedding credentials in the URL before the “@” symbol. This follows the format:

However, even if a website does not require authentication, entering any random credentials in this format still redirects and loads the site without any issue. Scammers are leveraging this behavior by crafting phishing URLs such as:

At first glance, victims may assume they are visiting realsite.com, but due to how browsers interpret the URL, they are actually redirected to fakesite.com—the phishing page. This technique exploits user trust and is proven to be highly deceptive, making it effective phishing campaigns and distributed via WhatsApp.

For example, the phishing domain mangokl[.]com is impersonating Mango, a Spanish fast-fashion retailer. An attacker could craft a deceptive phishing link like:https://shop.mango.com@mangokl[.]com

An unsuspecting user, seeing the familiar “shop.mango.com” at the beginning of the URL, might mistakenly trust the link and proceed to log in without hesitation—unaware that they are actually being redirected to the phishing site.

Phishing Webpage of impersonating Mango

Detecting such Phishing Sites at Scale

Traditional detection mechanisms often struggle with phishing attempts that employ evasion techniques like geo-fencing, user-agent filtering, referer header filtering, and parameter-based filtering. To overcome these challenges, CloudSEK's XVigil platform utilizes the Fake Domain Finder (FDF) module. This module is designed to bypass geo-fencing by using diverse IP addresses and proxies from various regions, ensuring access to restricted sites. It also emulates different user-agents to detect phishing attempts targeting specific devices. Additionally, the FDF module simulates various referer headers to uncover sites that rely on this filtering method. Furthermore, it analyzes parameterized URLs, including those with embedded credentials, to identify hidden phishing pages. The CloudSEK Threat Research Team continuously enhances the FDF module's capabilities, updating proxy lists, user-agent strings, referer headers, and URL parsing logic to stay ahead of evolving phishing tactics. This comprehensive approach allows CloudSEK to effectively detect sophisticated phishing campaigns that traditional scanners miss.

References

  • https://www.cloudsek.com/blog/unmasking-cyber-deception-the-rise-of-generic-phishing-pages-targeting-multiple-brands