RiskIQ Releases a Tool That Can Create Phishing Pages In Real-Time

Must Read
Sienna Rowley
Sienna is an editor at Cloud Host News. She is an internet enthusiast, always eager to explore the latest trend in the tech space. In her free time, she is a modest family woman who loves traveling.

RiskIQ, a threat intelligence firm RiskIQ stated that they identified a new toolkit that can modify the text and logos on phishing pages in real-time to adjust to victims. The phishing kit, entitled as LogoKit, is meant to be completely modularized. It is an embeddable set of JavaScript functions and likewise permits for simple reuse and adoption by others. The kit is composed in such a way that it interacts within the Document Object Model, which permits the script to dynamically adjust to the visible content and HTML form data without having the need for any user interaction.

RiskIQ Observed 700+ Unique Domains With LogoKit

RiskIQ stated in a blog post that they have observed more than seven hundred (700) uncommon domains running with LogoKit. Targeted services vary from general login portals to corrupt SharePoint portals, Office 365, Adobe Document Cloud, OneDrive, and Cryptocurrency exchanges. Additionally, RiskIQ has seen various sectors being compromised by the threat actors, including financial, legal, and entertainment.

Crafted URLs are sent to the victims that generally consist of their email as a hash location. Once the victim navigates to the malicious URL, LogoKit will fetch the companies third-party services like Clearbit or Google’s favicon database. The victim email is likewise auto-filled into the email or username field, deceiving the victims into believing as they have earlier logged into the site. Should a victim insert their password, LogoKit executes an AJAX request, transferring the target’s email and the key to an external source, and, ultimately, redirecting the user to their corporate web site.

For instance, phishingpage[.]site/login.html#[email protected] The location hash is then split down into parts. The part’s delimiter is the ‘@’ symbol, which enables the script to extract the user’s/company’s domain to retrieve the logo and ultimately redirected it to a victim.

As per the statement, the beneath services have been seen in usage by the phishing:

  • glitch.me: Application Deployment Platform
  • appspot.com: Google Cloud Platform
  • web.app: Google Firebase
  • firebaseapp.com: Google Firebase
  • storage.googleapis.com: Google Cloud Storage
  • firebasestorage.googleapis.com: Google Firebase Storage
  • s3.amazonaws.com: Amazon S3 Object Storage 
  • csb.app: Google CodeSandbox
  • website.yandexcloud.net: Yandex Static Hosting
  • github.io: GitHub Static Page Hosting
  • digitaloceanspaces.com: DigitalOcean Object Storage
  • oraclecloud.com: Oracle Object Storage

Subscribe to our newsletter for the latest security news right from the security and research industries. 

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest News

DoppelPaymer ransomware operation getting rebranded, now named as Grief (alias Pay or Grief)

Doppel Paymer ransomware operation made a rebranding move. Following a period of little or no activity, now they are back...

More Articles Like This