Researchers from RiskIQ have discovered a new phishing kit dubbed LogoKit that dynamically compose phishing content.
Researchers from RiskIQ discovered a new phishing kit that outstands for its ability to dynamically create phishing messages to target specific users.
LogoKit has a modular structure that makes it easy to implement a phishing-as-as-Service model.
This toolkit, unlike other ones, is an embeddable set of JavaScript functions. The kit uses specially crafted URLs containing the email address of the recipient. The crafted URLs contain the email as a location hash as reported in the following example:
phishingpage[.]site/login.html#victim@company.com
Upon navigating the URL, the LogoKit kit fetches the company logo from a third-party service (i.e. Clearbit or Google’s favicon database) and auto-fills the landing page with the victim’s username or email address in order to trick victims into feeling like they have previously logged into the site. Once the victim entered its password, LogoKit performs an AJAX request, sending the recipient’s credentials to an external source, and, finally, redirecting it to their corporate web site.
“RiskIQ has tracked LogoKit being used in simple login forms to trick users and embedded into more complex HTML documents pretending to be other services. Due to the simplicity of LogoKit, attackers can easily compromise sites and embed their script or host their own infrastructure.” reads the report published by the experts. “In some cases, attackers have been observed using legitimate object storage buckets, allowing them to appear less malicious by having users navigate to a known domain name, i.e., Google Firebase.”
RiskIQ spotted more than seven hundred unique domains running with LogoKit in the last thirty days. Threat actors targeted multiple services including MS SharePoint, Adobe Document Cloud, OneDrive, Office 365, and Cryptocurrency exchanges.
In some instances, RiskIQ experts noticed LogoKit kits that were preventing victims from using keyboard shortcuts in order to view/inspect webpage content.
LogoKit is very small and can be hosted on compromised sites, experts added that the collection of JavaScript files, its resources can also be hosted on public trusted services like Firebase, GitHub, and Oracle Cloud.
“The LogoKit presents a unique opportunity for attackers, allowing for easy integration into either existing HTML pretext templates or building simple login forms to mimic corporate login portals. Also, with the flexibility of either leveraging compromised infrastructure, attacker-hosted infrastructure, or object storage, attackers can quickly change their delivery source.” concludes the report. “With LogoKit’s intended functionality to be centered around singular emails per URL and extracting company logos, this dramatically improves ease of carrying out targeted attacks against organizations; and reusing pretexts without changing templates.”
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Phishing)
Share On
Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.
Researchers from RiskIQ have discovered a new phishing kit dubbed LogoKit that dynamically compose phishing content.
Researchers from RiskIQ discovered a new phishing kit that outstands for its ability to dynamically create phishing messages to target specific users.
LogoKit has a modular structure that makes it easy to implement a phishing-as-as-Service model.
This toolkit, unlike other ones, is an embeddable set of JavaScript functions. The kit uses specially crafted URLs containing the email address of the recipient. The crafted URLs contain the email as a location hash as reported in the following example:
phishingpage[.]site/login.html#victim@company.com
Upon navigating the URL, the LogoKit kit fetches the company logo from a third-party service (i.e. Clearbit or Google’s favicon database) and auto-fills the landing page with the victim’s username or email address in order to trick victims into feeling like they have previously logged into the site. Once the victim entered its password, LogoKit performs an AJAX request, sending the recipient’s credentials to an external source, and, finally, redirecting it to their corporate web site.
“RiskIQ has tracked LogoKit being used in simple login forms to trick users and embedded into more complex HTML documents pretending to be other services. Due to the simplicity of LogoKit, attackers can easily compromise sites and embed their script or host their own infrastructure.” reads the report published by the experts. “In some cases, attackers have been observed using legitimate object storage buckets, allowing them to appear less malicious by having users navigate to a known domain name, i.e., Google Firebase.”
RiskIQ spotted more than seven hundred unique domains running with LogoKit in the last thirty days. Threat actors targeted multiple services including MS SharePoint, Adobe Document Cloud, OneDrive, Office 365, and Cryptocurrency exchanges.
In some instances, RiskIQ experts noticed LogoKit kits that were preventing victims from using keyboard shortcuts in order to view/inspect webpage content.
LogoKit is very small and can be hosted on compromised sites, experts added that the collection of JavaScript files, its resources can also be hosted on public trusted services like Firebase, GitHub, and Oracle Cloud.
“The LogoKit presents a unique opportunity for attackers, allowing for easy integration into either existing HTML pretext templates or building simple login forms to mimic corporate login portals. Also, with the flexibility of either leveraging compromised infrastructure, attacker-hosted infrastructure, or object storage, attackers can quickly change their delivery source.” concludes the report. “With LogoKit’s intended functionality to be centered around singular emails per URL and extracting company logos, this dramatically improves ease of carrying out targeted attacks against organizations; and reusing pretexts without changing templates.”
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Phishing)