Delayed execution

Summary

Phishing sites often employ time delays or multi-step loading so that automated analysis tools (which only scan a page for a fixed, limited time period) don’t catch the malicious content.

The phishing payload (like a login form or malicious script) is only revealed after a period of time, user interaction, or through a chain of redirects — by which point an automated scanner may have timed out. This buys the phishing site more time to remain undetected and is an effective way of combating automated analysis.

Examples

• Example 1: Delaying malicious content through multiple redirects - Phishing campaigns on platforms like Blogspot have used chains of HTTP 302 redirects to “delay” the final malicious page. The user might go through several innocuous-looking URLs before landing on the phish. This tricks security crawlers that often only check the first page.
• Example 2: Requiring user interaction before serving malicious content — Some phishing kits hide the credential input form until they detect real user interaction. For example, a kit may not render the password field or submit button until the user moves the mouse or clicks the page. This fools headless browsers or sandboxes that don’t mimic user behavior by keeping the login form hidden until a user click event occurs.
• Example 3: Auto-redirecting after a delay — Some phishing campaigns first show an innocuous page or error, then auto-redirect to the phish after a delay. One example shows a phish that landed on a fake “Error 403 – Access Denied” page with a support link; after a short delay or on clicking the link, it moved to the real phishing login.