Back to blog

Scammers and the HTTP Protocol

Entropius Research

Entropius Research

2/11/2026

#phishing#http-protocol#cloaking#threat-detection#AI
Scammers and the HTTP Protocol

Introduction

When we think of online scams, we picture suspicious emails and fake login pages. But modern scammers have evolved far beyond that. They don't just send malicious links. They weaponize the HTTP protocol itself to decide who sees what, when, and how.

Every HTTP request carries a wealth of information: your IP address, browser type, operating system, language preferences, referring page, and more. Attackers exploit every one of these signals to build multi-layered evasion systems that show clean, harmless content to security scanners while serving malicious pages to real victims.

This post breaks down the specific HTTP-level techniques scammers use, and why detecting them at scale remains one of the hardest problems in cybersecurity.

HTTP Redirect Chains as a Weapon

The simplest and most effective technique in a scammer's toolkit is the HTTP redirect chain. When you click a link, you rarely land on the final page immediately. Instead, your browser follows a series of 301 and 302 redirects, each one controlled by a different server.

At every hop in the chain, the server can inspect your request and make a decision:

  • Is this a known security crawler? Redirect to a clean page.
  • Is this a real user from the target country? Redirect to the scam.
  • Is this IP on a blocklist? Redirect to Google.

This technique is called server-side cloaking, and it's devastatingly effective. Security bots see a perfectly legitimate website. Real victims see a fake bank login page, a fraudulent investment opportunity, or a tech support scam.

According to research published at IEEE S&P 2021 (CrawlPhish), 31% of phishing sites use some form of cloaking to evade detection. The redirect chain is the backbone of nearly all of them.

User clicks link
  → hop1.example.com (checks IP, User-Agent)
    → hop2.tracker.net (logs visit, sets cookies)
      → hop3.cdn-legit.com (checks geolocation)
        → final-scam-page.com (serves phishing content)

Each hop is a decision point. Each hop can be hosted on a different provider, in a different country, using a different domain. By the time a security team traces the chain, the intermediate servers may have already rotated to new domains.

Geo-Targeting with IP Geolocation

Every HTTP request exposes the visitor's IP address, and IP geolocation databases can map that address to a country, city, and ISP with reasonable accuracy. Scammers use this to serve region-specific content.

A phishing campaign targeting Australian banks will only show the fake login page to visitors from Australian IP ranges. Everyone else, including security researchers in the US or Europe, sees a benign page or gets redirected elsewhere.

This goes beyond simple country-level filtering:

  • City-level targeting: Serve scams only to users in specific metropolitan areas where the target brand operates.
  • ISP filtering: Block requests from hosting providers and cloud IPs (where security scanners typically run) while allowing residential ISPs through.
  • Mobile carrier detection: Target users on specific mobile networks for SMS-related scams.

Meanwhile, attackers use VPNs and Tor to mask their own origin, making it nearly impossible to determine where the attack infrastructure is actually operated from. The asymmetry is stark: attackers can see exactly where you are, but you can't see where they are.

Timestamp-Based Evasion

Scam infrastructure doesn't operate on a 24/7 schedule. Attackers know that security teams and automated scanners tend to operate during business hours in specific time zones, so they build time-based logic into their servers.

Common patterns include:

  • Delayed activation: A phishing page sits dormant for 24-48 hours after deployment, waiting for initial security scans to pass before activating.
  • Business hours targeting: Scam content only appears during working hours in the victim's time zone (9 AM to 6 PM), when people are most likely to interact with financial or corporate-themed phishing.
  • Weekend dormancy: Scam pages go offline or serve clean content on weekends when monitoring teams are understaffed.
  • Short-lived campaigns: Pages activate for just 2-4 hours, collect credentials, then self-destruct, all before a manual review can take place.

The numbers tell the story. Research shows that only 23% of cloaked phishing sites get blacklisted, compared to 49.4% of non-cloaked sites. Across all phishing attacks studied, 34% contain some form of cloaking technique. Timestamp-based evasion is a significant contributor to that gap.

HTTP Headers: Device Fingerprinting

Beyond IP addresses, every HTTP request contains headers that reveal detailed information about the visitor's device, browser, and context. Scammers inspect these headers to make granular decisions about what content to serve.

User-Agent Targeting

The User-Agent header tells the server what browser and operating system the visitor is using. Scammers use this to:

  • Serve mobile-optimized phishing pages to smartphone users (who are more likely to miss URL bar warnings on small screens).
  • Block requests from known headless browsers like Puppeteer or Playwright, which are commonly used by security scanners.
  • Target specific browser versions with known vulnerabilities for drive-by downloads.

Accept-Language Filtering

The Accept-Language header reveals the visitor's preferred language. A scam targeting Japanese users can verify that the visitor's browser is configured for Japanese. If it's set to English, the visitor is likely a researcher, not a victim.

Referer Analysis

The Referer header shows which page the visitor came from. Scammers use this to:

  • Only show scam content when visitors arrive from specific sources (a phishing email link, a social media ad, or a search engine result).
  • Block direct access (typing the URL directly), which is how security researchers typically investigate suspicious domains.
  • Serve different scams based on the referring platform.

Security Tool Blocking

Sophisticated phishing kits maintain blocklists of known security tool signatures: specific User-Agent strings used by URL scanners, IP ranges belonging to security companies, and request patterns that indicate automated analysis. If any of these signatures are detected, the server returns a 404 Not Found or redirects to a legitimate website.

The HTTP Request Is Not a Full Browser Render

This is perhaps the most critical and underappreciated aspect of modern scam infrastructure: what a security crawler fetches is not what a real browser renders.

When a traditional security scanner requests a URL, it receives the raw HTML response from the server. But modern web pages are not static HTML documents. They're applications. The HTML is just a loader. The actual content is built dynamically by JavaScript after the page loads.

Scammers exploit this gap extensively:

Dynamic Content Loading

The initial HTML response contains nothing malicious. It's a clean page with legitimate-looking content. But embedded JavaScript executes after the page loads and performs the real work:

  • setTimeout delays: Malicious content doesn't appear until 3-5 seconds after page load, after most automated scanners have already captured their snapshot.
  • AJAX calls: The page fetches additional content from a separate API endpoint, which itself performs its own set of IP/header checks before returning the phishing payload.
  • DOM manipulation: JavaScript dynamically rewrites the page structure, replacing the clean content with a fake login form.
  • Iframe injection: A hidden iframe loads the actual scam content from a different domain entirely.

Research shows that 36% of malicious pages exhibit runtime assembly behavior: they construct their malicious content piece by piece in the browser rather than serving it directly.

Obfuscation and Encryption

The JavaScript that builds the phishing page isn't readable code. Attackers use multiple layers of obfuscation:

  • Base64 encoding: The phishing HTML is encoded and decoded at runtime.
  • XOR encryption: Payload strings are XOR-encrypted and only decrypted when specific conditions are met.
  • CryptoJS encryption: AES-encrypted payloads that require a key derived from the visitor's environment (IP, timestamp, referrer) to decrypt.
  • Variable name randomization: All variable and function names are replaced with meaningless strings.
  • Control flow flattening: The logical structure of the code is deliberately scrambled to resist analysis.

Modern Framework Abuse

The most advanced phishing kits now use React, Vue, or Svelte to build their scam pages. The initial HTML is nothing more than a minimal loader:

<div id="root"></div>
<script src="app.bundle.js"></script>

The entire phishing interface, complete with form validation, error messages, loading animations, and multi-step flows, is built by the JavaScript framework at runtime. A security scanner that only examines the HTML sees an empty page.

Anti-Analysis Techniques

Scammers also deploy techniques to detect and block security analysis tools:

  • navigator.webdriver detection: Headless browsers set this flag to true. Phishing pages check for it and refuse to render malicious content if detected.
  • VM detection: JavaScript can detect virtual machine environments (commonly used by malware analysts) through timing attacks and hardware fingerprinting.
  • Debugger traps: Code includes infinite debugger statements that trigger when developer tools are open, making manual analysis frustrating.
  • Canvas fingerprinting: Uses the HTML5 Canvas API to generate a fingerprint of the visitor's graphics hardware, identifying automated environments.

The CrawlPhish study found that proper JavaScript-based analysis requires an average of 29.96 seconds per website, making it extremely difficult to scale across the millions of new URLs that appear daily.

AI-Powered Evasion

The latest evolution in scam infrastructure leverages artificial intelligence to automate and improve evasion at every level.

AI-rephrased phishing emails bypass traditional content-based detection. When phishing email templates are rewritten by language models, detection accuracy drops by 6-9 percentage points across major email security providers. The emails read naturally, avoid known phishing phrases, and pass grammar checks that would flag human-written scam copy.

Phishing kits like InboxPrime AI can generate entire campaigns, from email templates to landing pages to redirect infrastructure, with minimal human input. These kits produce unique variants for each campaign, making signature-based detection obsolete.

LLM-generated obfuscated JavaScript creates polymorphic code variants. Each time the phishing kit is deployed, the JavaScript that builds the page is structurally different while functionally identical. Traditional pattern matching fails because there are no stable patterns to match.

Perhaps most concerning, cloaking-as-a-service has commoditized these techniques. Less-skilled attackers can purchase turnkey phishing infrastructure that includes all of the evasion techniques described in this post (geo-targeting, timestamp logic, header fingerprinting, JavaScript rendering, and AI-powered content generation) for a monthly subscription fee.

Why Detection Is Not an Easy Game

The fundamental challenge is asymmetry. Defenders must correctly classify every URL, every page, every redirect chain. Attackers only need their pages to survive long enough to collect a batch of credentials.

Consider the detection landscape:

  • Automated tools are predictable: They send requests from known IP ranges, with recognizable User-Agent strings, during predictable hours. Scammers have built their entire evasion infrastructure around exploiting this predictability.
  • VirusTotal catches almost nothing: Only 3.3% of cloaked phishing sites are flagged by VirusTotal, the most widely-used URL scanning service. The other 96.7% pass as clean.
  • Client-side fingerprinting is extensive: Modern phishing pages use between 52 and 170 distinct browser APIs to fingerprint visitors before deciding whether to display malicious content. This goes far beyond simple User-Agent checks.
  • The cat-and-mouse never stops: Every improvement in detection technology triggers a corresponding innovation in evasion. Machine learning classifiers get defeated by adversarial examples. Headless browser detection gets more sophisticated. New obfuscation techniques emerge monthly.

Traditional security tools were designed for a world where malicious content was static and visible. That world no longer exists. Today's scam infrastructure is dynamic, context-aware, and specifically engineered to appear clean to anyone who isn't a real victim.

How Entropius Tackles This

At Entropius, we built our threat intelligence platform from the ground up to counter every technique described in this post. Our approach doesn't rely on checking URLs from a single vantage point with a single set of headers, because we know that's exactly what scammers expect.

Multi-region scanning. Entropius simulates requests from multiple geolocations worldwide, driven by agentic AI that decides which regions to test based on the target's characteristics. A scam targeting Brazilian users? We scan from Brazilian IP ranges. Geo-cloaking only works when the scanner doesn't know where to look. Our system does.

Realistic HTTP headers. We rotate User-Agent strings, Accept-Language values, Referer headers, and other request parameters to simulate real devices across different platforms and regions. Our requests are indistinguishable from a real user browsing from a real device.

Full browser rendering. Entropius doesn't just fetch HTML. It executes JavaScript in a real browser environment. We see exactly what the victim sees, including dynamically loaded content, delayed payloads, and framework-rendered interfaces. If the scam only appears after 5 seconds of JavaScript execution, we catch it.

Agentic AI workflows. Our autonomous AI agents don't just scan individual URLs. They investigate suspicious infrastructure across the full web, following redirect chains, correlating domains and IPs, discovering related scam pages, and mapping entire attack campaigns. When one node in a scam network is found, the agents trace the rest.

Continuous scanning at scale. Threats are detected as soon as they appear, not hours or days later. Entropius continuously monitors infrastructure and identifies malicious changes in real-time, closing the window that timestamp-based evasion tries to exploit.

Complete evidence chains. Every detection includes the full redirect chain, all request and response headers, and the rendered page content. This provides irrefutable proof of malicious behavior, critical for takedown requests, legal action, and incident response.

The HTTP protocol gives scammers powerful tools for evasion. Entropius turns those same protocol details into detection signals. Every header, every redirect, every millisecond of JavaScript execution becomes evidence.

The scammers are sophisticated. Your detection needs to be more sophisticated.

Learn more about how Entropius protects your organization →