Scammers today are high tech equipped. They have IT team, as good as any software company. These IT guys might not operate scam activities themself, but provide dangerous tools & systems to scammers hand. It is unclear that those high educated guys chose to work for scam industry, or themself also are victims of another scam recruitment, or they are backed by some cybercriminal gangs which in turn, backed by a few governments – which you can guess :). But, an uncomfortable fact is: they has black hats in their side!
Fake websites, Impersonated websites (or Rogue websites) today is designed as polish as official ones. Scam websites copies not only logos, but also the professional feel. But their weakness is always on their domain names. Security researcher often can detect these websites easily by a web crawler, but it is not that easy anymore. These websites today can use some Camouflage techniques to hide themself from security researchers.
This post will list some techniques commonly used by scammer to hide their content from researchers, and a solution around this problem.
1. Cookie-based cloaking
Cookie-based cloaking, or Cookie-Based Redirecting, Cookie-Gated Content is a web technique where a website changes its behavior depending on cookies stored in the visitor’s browser. A cookie is a small piece of data websites save in the browser to remember information such as: login sessions, referral sources, advertising campaigns, previous visits, tracking identifiers. A website can use these information to determine what content to show to a visitor. Scam websites use this technique to:
- Show trivial content, such as a skateboard product homepage, or a small HR company landing page, etc, to visitors that visitors access directly via entering their domain name.
- But, if a visitor comes via clicking an ads on Social Networks, it shows scam contents such as impersonating famous services or companies to trick visitors to download or pay in advance.
By this trick, a web crawler will not see scam content, so it can fail to flag it as scam.
2. Geo-Targeting
Similarly to Cookie-based cloaking, Geo-Targeting scam activates only for visitors from certain countries or cities. Scam websites can use IP of visitors to determine what content to display instead of data in cookies. Scam websites can use this technique to hide themself from cybersecurity researchers – who will hunt for them. Many cybersecurity companies scan websites from US cloud providers, datacenter IP ranges or known research networks. Scam sites can detect these IP ranges and automatically hide scam content from those locations.
Another usage of geo-targeting is to localize content by using visitor’s language. Scam contents feel more convincing if it uses local language, local currency, local phone numbers, local branding and region-specific holidays or events. Victims are more likely to trust the page if they see familiar information and symbols. With a domain name slightly different from legitimate ones, it actually fool a lot of people around the world.
3. Device-Based Targeting
Device-based targeting is a technique where a website changes its behavior depending on the visitor’s device, operating system, browser, or hardware characteristics. The same URL may show contents completely differently among Android phones, iOS phones, Window PC or MacOS. Scammers use this technique to target specific victims to deliver platform-specific malware. For example, if scammers want to deliver Window malware, they can make their scam website to display scamming messages only if user is using Window. This is possible because browsers (Chrome, Firefox, …) attach OS info in every HTTP requests. When a researcher using MacOS or using phone, they won’t see the scam messages. This is one of the most common camouflage methods in modern phishing and malvertising campaigns.
4. Time-Based Activation
Time-based activation is a camouflage technique where a scam website only becomes malicious during specific periods of time.
This technique often is used with ad campaigns. Because digital ads platform such as Facebook or Google, always review website’s content before placing ads and they strictly ban scam & impersonated content. But scammers can now bypass this Ad Review System. Scammers can put normal content on a website during review period so their webiste can be accepted. But scammer’s website can be programmed in a way that it only show scam content at specific time, for example: only from 8PM-10PM. Because Ad Review Systems have no access to website source code so they have no clue if a website use this technique. As a result, scammer can guess when their victim usually online, and configure scam website to show scam content at that time.
This Time-based activation method also help them avoid being detected by scanners, limit their exposure and increase their success rate.
5. URL Shortener Abusing
URL Shorteners such as Bitly or TinyURL are tools to shorten urls to make it looks nice when sharing, and looks less dangerous. Scammer can exploit these tool to make their links less suspicious. When users click on a shorten link, let say shorten by TinyURL, browsers (Chrome, Firefox) make request to TinyURL’s server, then TinyURL redirects user to scammer actual link. Scammers exploit this function to hide their real domain names and borrow credit from famous companies, here is Bitly and TinyURL. This method often is used when scammers chose to send links via SMS. Because the URL looks short, and from famous services like Bitly or TinyURL, victims may let their guard down and click the shorten link.
6. One-Time URLs
Another effective camouflage method used by scammers is the use of “One-Time URLs.” One-Time URLs are links that display scam content only once; afterward, the content disappears or changes completely. Technically, this behavior is not difficult to implement — any experienced web developer can build such functionality, and organized scam operations often have dedicated IT teams capable of deploying it at scale.
In a typical scenario, when a targeted victim clicks a malicious link sent through SMS, email, social media, or advertisements, the page displays phishing content, fake login forms, investment scams, or malware download prompts. However, if the victim later revisits the same link — or sends it to a friend, bank employee, or cybersecurity researcher for verification — the page may suddenly become unavailable, return a “404 Not Found” error, redirect to a harmless website, or display completely normal content unrelated to the scam.
7. JavaScript-Only Payloads
Many web scanners depend on HTML content when analyzing websites. To hide scamming intention, modern scam websites increasingly avoid placing malicious text, phishing forms, or scam indicators directly inside the initial HTML response. Instead, they use JavaScript to dynamically generate content only after the page loads, often based on factors such as device type, browser behavior, cookies, location, or user interaction.
In many cases, the HTML page initially appears almost empty or completely harmless to automated scanners. The actual phishing interface, fake login form, or malicious redirect is later constructed in the browser using obfuscated JavaScript, remote payload downloads, or delayed execution techniques. Some scam pages even activate only for real mobile users while showing benign content to security researchers or automated bots.
This technique, commonly referred to as a JavaScript-only payload or client-side payload delivery, makes detection significantly more difficult because traditional scanners may never execute the necessary scripts long enough to observe the malicious behavior.
8. Image Only Websites
Similar to JavaScript-Only Payloads, to bypass traditional scanners, some scam websites avoid placing meaningful textual content directly inside the HTML page and instead render their entire interface as images. Banking forms, warning messages, promotional banners, fake customer support chats, and even login screens may exist only as embedded images, while the underlying HTML remains nearly empty or harmless-looking.
Because many security systems primarily analyze HTML structure, DOM text, metadata, and visible keywords, image-only websites can significantly reduce the effectiveness of conventional phishing detection methods. Without performing advanced image analysis or OCR (Optical Character Recognition), automated scanners may fail to recognize brand impersonation, phishing instructions, or scam-related language contained inside the images themselves.
Some campaigns further combine this technique with JavaScript rendering, geo-targeting, or device-based targeting to dynamically serve different image payloads depending on the victim’s environment, making automated analysis even more difficult.
9. Compromised Legitimate Websites
This case rarely happens, but it does occur — even on legitimate government websites. In some countries, cybersecurity investment remains limited, outdated, or poorly maintained. As a result, official government websites may eventually get hacked through vulnerable CMS platforms, weak administrator passwords, outdated plugins, exposed servers, or neglected infrastructure.
Once attackers gain access, they may place scam advertisements, phishing links, fake investment promotions, gambling content, malware downloads, or redirects to rogue websites directly on the homepage or inside trusted government subpages. In other cases, attackers quietly inject hidden links or malicious JavaScript that redirects only selected visitors to scam pages while the website otherwise appears normal.
Because the malicious content is hosted on an official government domain, victims are far more likely to trust it. This case demonstrates an important reality: a trusted domain does not always guarantee trusted content. Even legitimate websites can be hacked and be injected with scam campaigns if their systems are not properly secured and monitored.
10. SEO Poisoning
People today often trust Google search results more than their own judgment, and scammers actively exploit this behavior through a technique commonly known as SEO poisoning. Instead of sending suspicious links directly, attackers attempt to manipulate search-engine rankings so that their scam pages appear near the top of search results for popular or urgent keywords.
Scammer today has their own content creator team. These teams are responsible for producing convincing materials designed to build trust, attract victims, and make scam campaigns appear professional and legitimate. They also has SEO team, which are responsible for optimize SEO ranking of their websites. As a result, when a user searches for a solution on Google Search, they may land to scammer’s websites. These websites usually provide content that is 90% truth, and harmless, but the rest 10%, is faked, mostly to instruct users – which already trust it due to that 90% – to download malware, or to make advanced payments.
11. Advertisement Abusing
When SEO to top ranking takes time or impossible, scammer still have another choice. They run ads campaign. They pay to Google Ads to display their website on top. These ads usually has word “Sponsored” under its name to distinguish to other native SEO ranking. But users often neglect this, and usually trust the first website.
Scammers usually exploit this behavior by creating ads that imitate banks, airlines, government services, cryptocurrency platforms, technical support companies & package delivery services. The advertisement itself may appear completely legitimate, using official logos, professional descriptions and similar domain names. Some malicious campaigns even use typo-squatting domains that look visually similar to trusted brands.
Because advertising systems operate at massive scale, attackers sometimes manage to run malicious ads temporarily before automated moderation systems detect and remove them. During that window, thousands of users may already have clicked the scam advertisement.
12. Multi-Step Redirect Chains
This is not a new technique, but rather a combination of many of the camouflage methods described above. In a Multi-Step Redirect Chain attack, the victim does not directly land on the final scam page. Instead, they are silently redirected through multiple intermediate websites, tracking systems, shortened URLs, advertising networks, cloaking pages, or compromised domains before eventually reaching the malicious destination. Each step serves a specific purpose:
- dynamically changing payloads
- hiding the final destination
- bypassing blacklist systems
- filtering unwanted visitors
- tracking victims
- evading automated scanners
For example, a security scanner may inspect only the first redirect and conclude the link is harmless, while the actual phishing content appears only after several additional redirects triggered under very specific conditions. Some redirect chains additionally check:
- IP reputation
- country
- browser fingerprint
- mobile vs desktop
- cookies
- referral source
- whether the visitor appears to be a scanner
If the visitor is suspected to be: a researcher, a security crawler, a virtual machine or a headless browser, the chain may terminate early and show harmless content instead of the real scam page.
Modern scam operations often treat redirect chains almost like traffic-routing infrastructure. Different victims may be sent to completely different scam pages depending on: language, location, device type, advertising campaign and time of day. This technique is particularly effective because no single website in the chain necessarily appears obviously malicious on its own. Some intermediate pages may even belong to legitimate ad networks, hacked government websites, trusted cloud platforms, URL shorteners or compromised websites.
As a result, automated detection becomes significantly harder because scanners must successfully follow every redirect step, emulate realistic user behavior, and trigger the correct environmental conditions before the final malicious payload is revealed.
So how to detect these camouflaged scam websites ?
How to detect camouflaged scam websites ?
Based on known camouflage techniques, detection algorithms can no longer rely solely on static content analysis anymore. Modern scam websites are increasingly capable of dynamically changing their behavior depending on the visitor’s device, location, cookies, referral source, browsing history, or even the current time. A webpage that appears completely harmless to an automated scanner may simultaneously display phishing forms, malware downloads, or fake investment dashboards to real victims under carefully selected conditions.
Because of this, modern detection systems must evolve from simple “page inspection” into behavioral and contextual analysis systems. Instead of analyzing only the final rendered HTML, security solutions increasingly need to observe:
- redirect chains
- device-specific responses
- geo-dependent behavior
- JavaScript execution
- timing anomalies
- browser fingerprint checks
For example, if a website behaves differently between mobile and desktop devices, changes content after several visits, or only activates after arriving from advertisements, these behavioral inconsistencies themselves may become strongest indicators than the visible content alone.
This is one reason why modern phishing detection has become significantly more difficult than traditional spam filtering. Scam infrastructure is no longer static. It is adaptive, selective, and increasingly designed to study the visitor before revealing its real intent.
( There is a project that is active adapting this approach to combat scamming plague: SafePhone. SafePhone for Android is now available on PlayStore , homepage is at: https://safephone.io.vn/. )
