The term "Click-through Cloaking" may be a new one but the idea behind it is quite an interesting one. It is nothing specifically new, however recently we have come across a few more incidents of this than normal - so I thought it would be worth a mention.

The idea behind Click-through Cloaking is for a website to present a page tailored to how the user arrived at the site (and possibly some other data about the visitor). For example a site may display a legitimate web site when the URL is entered into a web browser directly, however if the URL is accessed via Google (by clicking on a search result) a completely different site may be presented.

There are many different reasons you may want to do this, some legitimate, some not so. This blog, for example, shows how an attacker was able to remove the site from Google by displaying spam to GoogleBot (dropping its ranking or causing Google to remove it completely) while the normal website was displayed to everyone else.

Another scenario may be for a web defacer to cause malicious content to show if the user came from a search engine (Google, Yahoo, etc), but display a correct site for every other visitor. So when a user submitted the site for investigation, the investigators (eg AusCERT) would go directly to the site and have a normal site returned. Another reason is to avoid detection. Most website owners will not visit their site from a search engine. They will either access the URL directly or have it set as their home page. Both of these mean that there will not be a search engine referrer.

This is also related to many of the malicious web sites we see at AusCERT. They (the malicious web sites) will often present a page designed to exploit only the type of browser that you visit the malicious page with. So if you view it with Opera, they will use an Opera exploit. If you visit with Firefox, a Firefox exploit will be presented. Some sites take this one step further and will only present a malicious site if you are visiting with a vulnerable web browser. So if you use Lynx you may see a 404 error message.

Another blog on the topic can be found here and Microsoft also has a pdf about Detecting Stealth Web Pages That Use Click-Through Cloaking.

Richard