Phishers usually want to protect their pages from being detected by search engines and security companies. To achieve that, they add .htaccess files that deny access to their phishing directories from known IP addresses and networks. Depending on the scenario, if they are targeting a specific type of service (online banking for instance) attackers may allow only a set of visitors from a specific country to see that phishing page.
Though attacker’s skillset may vary, some will just try to customize third-party scripts they find online and it’s not uncommon when they do it poorly. For example, one phishing campaign uses a bot blocking .htaccess file that can be easily found on the Internet. It really protects sites from unwanted bots, but has very little to do with search engines, security companies, and geographic regions (although it blocks some of them) – it just saves bandwidth.
deny from 188.8.131.52 # rpa.metlife.com bored employees deny from 184.108.40.206 # DSL bandwidth waster deny from 193.253.199. # france SE art-online.com bandwidth waster deny from 80.179.254. # clown from Israel using downloader deny from 64.37.103. # spambots and other non customers deny from 220.127.116.11 # spambot from servershost.net
Along with the .htaccess file, there may be other files within the phishing structure, such as:
- Image directories (img/images) – These directories may contain logo, header/footer images & others related to phishing (Paypal, Banks, etc.).