Tech News

LogoKit phishing kit allows creating phishing pages in real time

RiskIQ researchers said that the new LogoKit phishing kit was detected on more than 700 unique domains in the last month alone and on 300 in the last week.

Worse, this tool allows hackers to modify logos and text on phishing pages in real time, tailoring sites for specific purposes.

LogoKit relies on sending to users phishing links containing their email addresses. As soon as the victim goes to such a URL, LogoKit pulls up the company logo from a third-party service, for example, Clearbit or from the Google favicon database.

The victim’s email address is also automatically substituted in the email or username field so that users think they’ve visited the site before. If the victim enters their password, LogoKit makes an AJAX request, sends their email address and password to an external source, and then finally redirects the user to a [legitimate] corporate site.experts write.

The malware accomplishes all of this through an embedded set of JavaScript functions that can be integrated into any standard login form or complex HTML documents. This is the main difference between LogoKit and other phishing kits, as most of them require pixel-accurate templates that mimic company-specific authentication pages.

LogoKit phishing kit

Analysts point out that modularity allows LogoKit operators to organize attacks on any company, spending a minimum of time and effort. For example, over the past month, LogoKit has been used to create fake login pages that mimic a wide variety of services, from regular login portals to fake SharePoint login pages, Adobe Document Cloud, OneDrive, Office 365, and several cryptocurrency exchanges.

Since LogoKit is very small and compact, it practically does not require complex server configuration, and the kit can be placed on hacked sites or real company pages targeted by malware operators.said RiskIQ researchers.

Even worse, because LogoKit is just a collection of JavaScript files, its resources can even be hosted on Firebase, GitHub, Oracle Cloud, and so on. Most of them are whitelisted in corporate environments and may appear harmless to both security solutions and users.

Let me remind you that Cybercriminals started using Google services more often in phishing campaigns.

Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button