Last Updated: 2023-11-17 10:12:27 UTC
by Jan Kopriva (Version: 1)
Anti-analysis features in phishing pages – especially in those, which threat actors send out as e-mail attachments – are nothing new[1,2]. Nevertheless, sometimes the way that these mechanisms are implemented may still leave one somewhat mystified. This has happened to me a few weeks ago when I found what appeared to be a generic phishing message in one of my spam traps.
In this, I was not wrong, as the attachment did, indeed, contain a fake login form.
Since the last shortcut mentioned is used in modern browsers to display the source code of a web page, my thinking is that blocking ctrl+c is in fact intended to prevent the use of ctrl+shift+c, which is commonly used to display developer tools.
Both of these scripts certainly do work, and if one were to open the phishing attachment in a browser, they would block the ability to view the source code or open developer tools, however, as far as their anti-analysis effect goes, they can be trivially bypassed by simply saving the page and opening it in a text editor, as I have done…
This, as I mentioned before, has left me somewhat mystified. My thinking is that if any recipient was suspicious enough to want to view a source code of a HTML page, they would be unlikely to input their credentials in it in any case (perhaps especially if the page didn’t behave in the usual manner). And, as we have shown, for preventing any more "advanced" analysis attempts, these scripts are pretty much useless. Therefore, although this approach is certainly interesting, it is also somewhat arbitrary and ineffective, which means that we can be fairly sure that it won’t be the “next big thing” when it comes to phishing.