Web obfuscation technique using invisible spans

/in /by

In order to delay detection, phishing and malware websites often use some obfuscation technique.
Obfuscation techniques are double-edged swords. They hide the malicious content from dumb crawlers, bots and sandboxes, but smarter algorithms that know what to look for can detect the malware just by looking at it’s attempts to hide. This is one of the ways we can detect zero-day malware.

In this example we have a fake PayPal website. This page interleaves invisible spans between visible text in order to avoid detection by automated systems that perform heuristic analysis of the web page content.
You’ll get a clearer idea by looking at the following pictures.

This is the fake PayPal website as it is displayed in the browser:

PayPal phishing website

Notice the text just above the login box on the left of the page. The text says “Bitte geben Sie Ihre PayPal-Dated ein”. You will not find this phrase in the source code of the page because the phrase (and especially the word PayPal) has been interleaved with a lot of text enclosed in invisible spans. This text is present in the page but it is not displayed to the user.

Here is a part of the source code of the page (click on the image to enlarge it):

The parts in brown are the invisible spans, they contain a lot of random text that the browser is instructed not to display to the user.

The parts surrounded by yellow boxes are visible and displayed to the user. These parts compose the phrase you see on the webpage but a bot that scans the page and that doesn’t skip the invisible parts cannot find this phrase or even the word PayPal in the whole page.

Invisible content is perfectly normal in legit web pages, often some parts of the page are made visible only on specific events, often most of the page is initially invisible and made visible only when everything has been loaded. Having invisible content is not bad by itself and this is why crawlers and sandboxes don’t ignore it. Using it in this way is certainly suspicious.

Our UrlSand sandbox searches for this and other obfuscation/evasion techniques in order to detect malware.

 

Rodolfo Saccani
Libra Esva R&D Manager

LIBRA ESVA – VBSPAM JUNE 2017: 99.99% SPAM CATCH RATE

/in /by

The latest VB Spam test saw Libra ESVA registering a catch rate of 99.99%, with zero false positives!

The great results and superior spam-blocking also saw the company receive another VBSpam+ award for the exceptional performance. This earned the company a 2nd position between the products under test.

CEO of Libraesva, Paolo Frizzi, is proud of the high ranking and spoke of the importance of having an independent third party conduct performance tests. He pointed out that the Virus Bulletin test results can be trusted as they have no bias.

Organizations looking to deploy an anti-spam solution can therefore rely on the results and choose the solution accordingly. Companies already using Libra ESVA can consider the results to assess how well they chose Libra ESVA against the competitors.

An Anti-Spam solution must be effective, as any spam emails that get past the filter could potentially result in a phishing email being delivered to an employee. The high catch rate shows the quality of the product that uses not one but up to three different anti-virus engines to ensure dangerous emails prevented from being downloaded and delivered to end users.

Moreover, thanks to the URLSand Protection and to the QuickSand Protection, included in the standard subscription, Libra ESVA  blocks malicious email URLs  and the active contents in all Microsoft Office Documents and PDF files.

 

LIBRAESVA LOAD BALANCER: EMAIL LOAD BALANCING MADE EASY

/in /by

Libraesva, always focused on advanced email security solutions, introduces the new Load Balancer, designed to offer a simple solution to the problem of e-mail workloads balancing.

Libraesva Load Balancer is ideal answer for those organizations that are looking for a high-performanceeasy-to-install and manageable solution, available at a low price.

STRESS- FREE DEPLOYMENT
EMAIL APPLICATION READY
SCALABLE PERFORMANCE
ZERO DOWNTIME
EXCEPTIONAL VALUE

 

Libraesva Load Balancer provedes pre built applications to balance common email services, supporting a wide range of protocols like ActiveSync, Mapi, Rpc, Https, Imap, Pop3 and Smtp.