LogoKit, a new phishing kit that dynamically creates phishing forms

Pierluigi Paganini January 28, 2021

Researchers from RiskIQ have discovered a new phishing kit dubbed LogoKit that dynamically compose phishing content.

Researchers from RiskIQ discovered a new phishing kit that outstands for its ability to dynamically create phishing messages to target specific users.

LogoKit has a modular structure that makes it easy to implement a phishing-as-as-Service model.

This toolkit, unlike other ones, is an embeddable set of JavaScript functions. The kit uses specially crafted URLs containing the email address of the recipient. The crafted URLs contain the email as a location hash as reported in the following example:

phishingpage[.]site/login.html#[email protected]

logokit phishing kit

Upon navigating the URL, the LogoKit kit fetches the company logo from a third-party service (i.e. Clearbit or Google’s favicon database) and auto-fills the landing page with the victim’s username or email address in order to trick victims into feeling like they have previously logged into the site. Once the victim entered its password, LogoKit performs an AJAX request, sending the recipient’s credentials to an external source, and, finally, redirecting it to their corporate web site.

“RiskIQ has tracked LogoKit being used in simple login forms to trick users and embedded into more complex HTML documents pretending to be other services. Due to the simplicity of LogoKit, attackers can easily compromise sites and embed their script or host their own infrastructure.” reads the report published by the experts. “In some cases, attackers have been observed using legitimate object storage buckets, allowing them to appear less malicious by having users navigate to a known domain name, i.e., Google Firebase.”

RiskIQ spotted more than seven hundred unique domains running with LogoKit in the last thirty days. Threat actors targeted multiple services including MS SharePoint, Adobe Document Cloud, OneDrive, Office 365, and Cryptocurrency exchanges.

In some instances, RiskIQ experts noticed LogoKit kits that were preventing victims from using keyboard shortcuts in order to view/inspect webpage content.

LogoKit is very small and can be hosted on compromised sites, experts added that the collection of JavaScript files, its resources can also be hosted on public trusted services like Firebase, GitHub, and Oracle Cloud.

“The LogoKit presents a unique opportunity for attackers, allowing for easy integration into either existing HTML pretext templates or building simple login forms to mimic corporate login portals. Also, with the flexibility of either leveraging compromised infrastructure, attacker-hosted infrastructure, or object storage, attackers can quickly change their delivery source.” concludes the report. “With LogoKit’s intended functionality to be centered around singular emails per URL and extracting company logos, this dramatically improves ease of carrying out targeted attacks against organizations; and reusing pretexts without changing templates.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Phishing)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment