Home News LogoKit Phishing Kit Found Running on 700 Unique Domains

LogoKit Phishing Kit Found Running on 700 Unique Domains

The new phishing kit “LogoKit” allows cybercriminals to easily deploy the malware on a victim’s device.

Phishing, phishing attacks

Threat actors are investing more in phishing kits to simplify and expand their phishing activities. Cybercriminals are developing new phishing strategies and exploring different attack avenues by leveraging innovative phishing kits, which are widely available on the dark web market. Their growing demand on the underground market resembles how attackers are reliant on these tools.

Security firm RiskIQ recently uncovered a new kind of phishing kit dubbed “LogoKit.” The new kit is designed to deploy malware easily and allows other attackers to reuse and adapt.

“Unlike many other phishing kits that take advantage of complex layouts and multiple files, the LogoKit family is an embeddable set of JavaScript functions. These kits are designed to interact within the Document Object Model (DOM)–the site’s presentation layer. Interacting with the DOM allows for the script to dynamically alter the visible content and HTML form data within a page without user interaction,” RiskIQ said.

How LogoKit Spreads?

  • Initially, the attacker sends an email ID, hidden with a specially crafted malicious URL.
  • Once a victim clicks on the URL, it redirects the user to a fake corporate web site.
  • The victim’s email is auto-filled into the email or username field to trick the users into thinking they have previously logged into the site.
  • If the victims enter their password, LogoKit sends the target’s email and password to an external source operated by threat actors.
  • LogoKit allows attackers to easily compromise websites and embed the malware or malicious script in them.

RiskIQ claimed that LogoKit uses simple login forms to dupe users that are embedded into more complex HTML documents pretending to be other services, by fetching their logos from a third-party service like Clearbit or Google’s favicon database. RiskIQ found more than 700 unique domains running with LogoKit, targeting various services like SharePoint, Adobe Document Cloud, OneDrive, Office 365, and Cryptocurrency exchanges.

According to RiskIQ, the following legitimate services have been used by LogoKit actors:

  • me: Application Deployment Platform
  • com: Google Cloud Platform
  • app: Google Firebase
  • com: Google Firebase
  • googleapis.com: Google Cloud Storage
  • googleapis.com: Google Firebase Storage
  • amazonaws.com: Amazon S3 Object Storage
  • app: Google CodeSandbox
  • yandexcloud.net: Yandex Static Hosting
  • io: GitHub Static Page Hosting
  • com: DigitalOcean Object Storage
  • com: Oracle Object Storage

“LogoKit continues the trend of attacking with simplicity and small footprints. In executing only a few lines of customizable JavaScript and loading resources from trusted sources, such as Google Firebase, LogoKit increases its chances of success,” RiskIQ added.

Related Story: Five Phishing Baits You Need to Know