In recent years, the industry of cybercrime-as-a-service has been growing in popularity as threat actors continue to find ways to lower the level of investment—of time, labor, and skill—required to get their attacks up and running. This trend mitigates many of the challenges of launching cyberattacks, working in tandem with the AI explosion to make it easier for bad actors to launch attacks at scale.
Threat research from security provider SlashNext reveals the growth of cybercriminal activity using Cloaking-as-a-Service (CaaS), a tactic increasingly used by threat actors to launch phishing and fraud attacks and evade security measures. The use of CaaS is becoming more popular to lower the overhead cost of carrying out these attacks without being detected.
Inside the Cloaking Machine
CaaS platforms work by presenting harmless content, or “white pages,” to automated tools while showing the true scam sites, or “black pages,” to real users. This helps bad actors go unnoticed by security reviews and still carry out effective attacks. The marketplace of CaaS—while often using platforms whose purposes are ostensibly ambiguous, if not entirely legitimate—is built around providing threat actors with the web infrastructure to obstruct the operations of known security tools.
The advancement of CaaS is also contributing to its growing popularity among cybercriminals who see the tools becoming more sophisticated and effective. These services often use AI technology and real-time traffic filtering in order to improve accuracy. They take advantage of detection evasion techniques like device fingerprinting and behavioral signals.
Two Threat Platforms to Watch
Hoax Tech, an online service for hiding malicious sites, was originally designed to be a marketing tool that can be used by affiliate marketers offering policy-violating, or “gray,” services. However, the technology of this tool has been appropriated for protecting phishing and scam sites against discovery by security tools. Hoax Tech uses JavaScript fingerprinting and machine learning technology to determine which visitors to serve false benign pages to.
Another tool known as JS Click Cloaker is designed to ensure scripted deception at scale, enabling marketers and cybercriminals to block bots from their pages. Both of these services are marketed as plausibly legitimate—or at least legal—tools, but have been increasingly repurposed by threat actors looking to launch attacks without being detected by security solutions.
Why CaaS Works So Well
The CaaS market works by delivering services to cybercriminals that empower them to evade automatic scanners and legacy security tools. These services leverage AI technology to adapt to scanning patterns over time, offering ongoing effectiveness against detection by security tools. The evolution of these tools runs parallel with advances in malware and phishing sophistication, reinforcing the threat actors’ ability to launch successful attacks.
Cloaking has been compared in a web context to malware sandbox evasion, which keeps attackers’ malware from being detected and blocked in sandboxed environments. Both technologies are profitable for cybercriminals to leverage in order to protect their attacks against security measures in place to prevent them. The use of advanced tools for this purpose represents the growing sophistication of the cybercrime landscape.
Expert Perspectives: The Cloaking Arms Race
Cybersecurity experts have made comments on the far-reaching implications of the growth of CaaS as a trend among threat actors. “Just like threat actors use encryption, which is a core security technology, as a weapon to hold organization for ransom, it is no surprise that they are taking an approach designed to help opportunistic marketeers target and engage specific audiences and use it to target specific victims or evade detection,” says Andy Bennett, Chief Information Security Officer at Apollo Information Systems, a Round Rock, Texas-based provider of cybersecurity and IT solutions.
This evolution of cybercriminals taking advantage of technology for nefarious purposes is just another step in a long tradition of bad actors and security professionals constantly attempting to get ahead of each other. “It always has been an arms race between attackers and defenders,” according to Mayuresh Dani, Security Research Manager, at Qualys Threat Research Unit. “This research reveals a sophistication leap that threat actors are now leveraging artificial intelligence to fundamentally improve their evasion capabilities.”
Countermeasures and Defensive Strategies
Protecting against the types of attacks bolstered by CaaS technologies requires organizations to establish and maintain sufficient security measures. It is important to take steps to implement adaptive and scalable tools and policies to counteract cloaking technology. These include measures like real-time scanning to render and observe suspicious pages using runtime analysis, as well as scanning from multiple angles to find inconsistencies that may indicate cloaking.
Organizations are encouraged to implement tools for the detection of cloaking scripts and suspicious behavior, such as excessive fingerprinting and logic for swapping content. User behavioral analytics and AI-powered defenses are also recommended in order to leverage advanced, adaptive technology against cyberattacks that do the same.
AI Is a Double-Edged Sword
The AI explosion in recent years, along with other rapidly growing technologies, has led to many advances in legitimate personal and business usage, but it has also created more opportunities for cybercriminals to craft sophisticated attacks. As technologies like AI continue to be misused by cybercriminals, it is more important than ever for defenders to adopt similarly advanced tools to protect against attacks.
