Cybercriminal adoption of browser fingerprinting

Browser fingerprinting is one of many tactics phishing site authors use to evade security checks and lengthen the lifespan of malicious campaigns.

While browser fingerprinting has been used by legitimate organizations to uniquely identify web browsers for nearly 15 years, it is now also commonly exploited by cybercriminals: a recent study shows one in four phishing sites using some form of this technique.

This article will explain what browser fingerprinting is, provide examples, and discuss how it is used.

Browser fingerprinting explained

Browser fingerprinting uses a variety of client-side checks to establish browser identities, which can then be used to detect bots or other undesirable web traffic. Numerous pieces of data can be collected as a part of fingerprinting, including:

• Time zone
• Language settings
• IP address
• Cookie settings
• Screen resolution
• Browser privacy
• User-agent string

Browser fingerprinting is used by many legitimate providers to detect bots misusing their services and other suspicious activity, but phishing site authors have also realized its benefits and are using the technique to avoid automated systems that might flag their website as phishing. By implementing their own browser fingerprinting controls loading their site content, threat actors are able to conceal phishing content in real-time.

For example, Fortra has observed threat actors using browser fingerprinting to bypass the Google Ad review process. Because Google’s review process is semi-automated, the implementation of browser fingerprint checks allowed threat actors to identify when Google was viewing their ad destinations versus a normal user. If the threat actor suspected activity from Google, benign content was displayed. This led to phish reports getting rejected by Google because no phishing content could be detected.

Browser fingerprinting examples

Cloudflare’s Bot Fight Mode is one example of a legitimate provider using browser fingerprinting techniques to identify and block bots.

Cloudflare’s Bot Fight Mode uses browser fingerprinting techniques to identify and block bots.

Every time a website is loaded with Bot Fight Mode, the JavaScript below runs and sends the results back to Cloudflare. Depending on the results, you will either be presented with a captcha or blocked.

Below is an example of one of the browser fingerprinting checks implemented on a phishing site. On the first load, the site will execute the following encoded JavaScript:

If the JavaScript is decoded, security teams will see it is obfuscated and can infer from the strings shown that it is requesting numerous browser properties and running tests to see the results.

Once the JavaScript finishes, it generates a fingerprint and sends all the information back to the phishing site where the results are analyzed by the server. Depending on what it determines, either benign content or a phishing site will then be displayed.

In the example below, the large block of text contains significant amounts of data about the browser that is visiting the page.

This fingerprint contains every property of the browser, including information on screen dimensions, operating system, GPU hardware, time zone, and many other data points. All this information combined can make it very easy to determine if the browser is real or an emulator.

The following examples contain information that point to bot activity.

Example A: There is a discrepancy between the Platform and the UserAgent, indicating that the UserAgent has been changed.

Example A

Example B: The screen dimensions are conflicting, as the inner values are larger than the outer values.

Example B

Example C: The time zone offset is 0 or UTC, which indicates activity from a server and not a client system. The GPU information also reveals that this is a Linux system.

Example C

Any of the prior examples and information may be analyzed to determine the likelihood a visitor is a bot. In the case of the phishing site above, benign content will be displayed if the data pulled indicates it is not being accessed by a real browser. This kind of detection can identify nearly any out of the box browser emulation such as Curl, Puppeteer, Selenium, or headless Chrome.

In the past, crawlers could easily avoid detection by leveraging a proxy and changing its UserAgent. However, browser fingerprinting is very effective at identifying these automated systems, allowing site authors to alter their site content based on the results. Understanding the browser properties criminals are collecting when fingerprinting is critical for security teams to avoid suspicion from threat actors.