RiskIQ, a threat intelligence firm RiskIQ stated that they identified a new toolkit that can modify the text and logos on phishing pages in real-time to adjust to victims. The phishing kit, entitled as LogoKit, is meant to be completely modularized. It is an embeddable set of JavaScript functions and likewise permits for simple reuse and adoption by others. The kit is composed in such a way that it interacts within the Document Object Model, which permits the script to dynamically adjust to the visible content and HTML form data without having the need for any user interaction.
RiskIQ Observed 700+ Unique Domains With LogoKit
RiskIQ stated in a blog post that they have observed more than seven hundred (700) uncommon domains running with LogoKit. Targeted services vary from general login portals to corrupt SharePoint portals, Office 365, Adobe Document Cloud, OneDrive, and Cryptocurrency exchanges. Additionally, RiskIQ has seen various sectors being compromised by the threat actors, including financial, legal, and entertainment.
Crafted URLs are sent to the victims that generally consist of their email as a hash location. Once the victim navigates to the malicious URL, LogoKit will fetch the companies third-party services like Clearbit or Google’s favicon database. The victim email is likewise auto-filled into the email or username field, deceiving the victims into believing as they have earlier logged into the site. Should a victim insert their password, LogoKit executes an AJAX request, transferring the target’s email and the key to an external source, and, ultimately, redirecting the user to their corporate web site.
For instance, phishingpage[.]site/login.html#[email protected]. The location hash is then split down into parts. The part’s delimiter is the ‘@’ symbol, which enables the script to extract the user’s/company’s domain to retrieve the logo and ultimately redirected it to a victim.
As per the statement, the beneath services have been seen in usage by the phishing:
- glitch.me: Application Deployment Platform
- appspot.com: Google Cloud Platform
- web.app: Google Firebase
- firebaseapp.com: Google Firebase
- storage.googleapis.com: Google Cloud Storage
- firebasestorage.googleapis.com: Google Firebase Storage
- s3.amazonaws.com: Amazon S3 Object Storage
- csb.app: Google CodeSandbox
- website.yandexcloud.net: Yandex Static Hosting
- github.io: GitHub Static Page Hosting
- digitaloceanspaces.com: DigitalOcean Object Storage
- oraclecloud.com: Oracle Object Storage
Subscribe to our newsletter for the latest security news right from the security and research industries.
