From our observation, there are 136 out of 5630 phishing kits are using cloaking techniques.
Sever-side cloaking
Server-side cloaking is when the phishing kits show different versions of web pages given different IP addresses, User Agents, Geolocations etc.
The common trick is to have a .htaccess file or PHP code to profile the visitors.
Cloaked content Phishing content
Here is an example of PHP code that blocks certain user agents of the visitor.
If the user-agent contains keywords such as "crawler", "google", "Facebook" etc. it is likely to be a security crawler, the phishing kit will show default content (error page or redirect to benign page) to bypass detection.
Here is an example of PHP code that blocks certain IP addresses.
The phishing kit can keep a blacklist of IP addresses that are known to belong to security companies' servers.
Client-side cloaking
Client-side cloaking is to show different content based on users' interaction behaviors on the runtime.
For example, phishers can create a popup window or a recaptcha challenge that blocks the automatic engines.