Clonedown
Talk to us Get a free report
← All posts

June 12, 2026

Cloaking: How Phishing Hides From Scanners — And How We Beat It

By Clonedown Team

A phishing page that everyone can see is a phishing page that gets reported, blocked, and removed quickly. Attackers know this. So the more sophisticated operators no longer show their malicious page to everyone — they show it only to the people they intend to victimise, and serve a harmless decoy to everyone else. This technique is called cloaking, and it is one of the main reasons a phishing URL can stay live far longer than it should.

What cloaking actually is

Cloaking is the practice of serving different content to different visitors based on who, or what, the server believes is asking. A security scanner, a bank’s abuse team, or an automated crawler is shown a benign page: a blank template, a parked-domain notice, an unrelated landing page, or a generic error. The actual victim — arriving from a phishing email or SMS on the expected device, from the expected country, at the expected moment — is shown the real credential-harvesting page.

The goal is simple. If the people and systems responsible for detection only ever see something innocent, the URL looks clean, and the malicious content survives.

The common techniques

Cloaking is not one trick but a layered set of filters. The most common include:

  • User-agent checks. Requests from known crawler or headless-browser signatures are filtered out and shown the decoy.
  • IP and ASN filtering. Address ranges belonging to security vendors, cloud providers, and research networks are blocklisted and never served the live page.
  • Geo-targeting. The phishing page is shown only to visitors from the countries the campaign targets; everyone else gets the benign version.
  • Referrer checks. The page renders only when the visitor arrives via the campaign’s own link or lure, and stays hidden for anyone who navigates directly.
  • Device fingerprinting. Screen size, touch support, fonts, and other signals are used to distinguish a real mobile victim from an automated environment.
  • JavaScript gating. The malicious content is assembled only after client-side scripts run and pass a check, defeating scanners that read raw HTML.
  • One-time access tokens. Each lure carries a unique token; once used or expired, the link resolves to nothing of interest.
  • Redirect chains. A sequence of hops, sometimes through legitimate services, hides the final destination and breaks naive followers.
  • Time-based and behavioural filters. The page may go live only during certain hours, or only after a visitor demonstrates human-like interaction.

Why naive scanners fail

Most automated scanning works by fetching a URL and inspecting what comes back. Against an uncloaked site, that is enough. Against a cloaked one, it is exactly the wrong move: the scanner announces itself through its user-agent, its data-centre IP, its missing referrer, and its lack of human behaviour, and is handed the decoy on cue. The scanner records a clean page, the verdict is “not phishing,” and the report is never filed. Cloaking does not need to defeat detection forever — it only needs to win the single request the scanner makes.

How a serious takedown operation defeats it

Beating cloaking means refusing to look like a scanner. Clonedown applies advanced cloaking mitigation that combines automated and manual techniques, so the system can present itself the way a genuine victim would: arriving through the campaign’s own path, from a plausible network and location, on a realistic device, executing the client-side gates, and exercising the redirect chain to the end. Where automation is filtered out, human analysts on a 24/7 disruption team reproduce the conditions by hand to reach and confirm the live malicious page.

That confirmation is what makes the rest of the process decisive. Evidence collection captures screenshots, page source, WHOIS, hosting, DNS, and the cloaking behaviour itself, producing a single timestamped evidence package that providers can act on without re-investigating. Documenting the cloaking is the point: it shows reviewers the malicious content they would otherwise never have seen.

Clonedown runs end to end from detection to takedown, automated by default, with a median response under fifteen minutes and an average threat time-to-live of roughly 2.6 hours. For verified phishing URLs, deindexing through the Google Trust & Safety reporting channel achieves 100% removal, closing off the search-driven traffic that keeps a campaign profitable.

The cat-and-mouse reality

Cloaking is an arms race. As detection improves, attackers add filters; as filters proliferate, detection has to act more like a real user and less like a robot. There is no permanent victory, only the discipline of staying one step ahead — matching every new evasion with a way to see past it, and turning each confirmed page into evidence that gets it removed.

Clonedown OÜ is based in Tallinn, Estonia. If cloaked phishing is undermining your detection and response, this is the class of problem we work on every day.