Nothing to see here! On the awareness of and preparedness and defenses against cloaking malicious web content delivery
2024-10-22 , Europe - Main Room

Website cloaking is a technique that enables websites to deliver different content to
different clients, with the goal of hiding particular content from certain clients. Website cloaking is based on client detection, which is achieved via browser fingerprinting. In an
attempt to hide their malicious web pages from detection, cyber criminals (can) use cloaking.
They use vulnerability detection to only target clients that seem vulnerable. On top
of that, they (can) also provide benign content in case they suspect someone or something is
trying to detect them.

In this work, we investigated to what extent security web crawlers can be detected
by browser fingerprinting techniques, and provided some suggestions for how to improve them
to be able to bypass those techniques. We surveyed security analysts and analyzed a set of
threat intelligence sharing communities, to gauge awareness of cloaking as an available
detection evasion method for cybercriminals. Finally, we investigated one final technique,
the use of Cache-Control: no-store, which an attacker can use to thwart
forensic analysis.


In this talk I present part of my master thesis research in this space, explaining how browser fingerprinting works, and why I think it deserves some more attention from the cyber community and CTI community in particular.

See also: Slides (1.3 MB)

I am a computer scientist with a background in software testing (automation), incident handling and threat intelligence sharing.