LogoKit Can Manipulate Phishing Pages in Real Time

 

A recently uncovered phishing kit, named LogoKit, eliminates headaches for cybercriminals via automatically pulling victims' organization logos onto the phishing login page. This gives assailants the tools expected to effectively emulate organization login pages, a task that can now and again be intricate. Cybercriminals have depended on LogoKit to dispatch phishing assaults on in excess of 700 unique domains in the course of 30 days (including 300 in the past week). These focused on services range from generic login portals to bogus SharePoint, Adobe Document Cloud, OneDrive, Office 365, and cryptocurrency exchange login portals. 

“With LogoKit’s intended functionality to be centered around singular emails per URL and extracting company logos, this dramatically improves ease of carrying out targeted attacks against organizations; and reusing pretexts without changing templates,” said Adam Castleman, security researcher with RiskIQ on Wednesday. 

Phishing kits, which can be bought by cybercriminals for anything in the range of $20 and $880, require minimal technical knowledge to work past modest programming skills. These kits are used to steal various information from victims – including usernames, passwords, credit card numbers, social security numbers, and more.

In some cases, for instance, attackers have been noticed facilitating their phishing pages on Google Firebase as a feature of the LogoKit assault. While LogoKit has been discovered utilizing these authentic facilitating services, researchers have likewise noticed compromised sites – many running WordPress — to have LogoKit variations. Cybercriminals send victims a specially created URL containing their email address. An illustration of a crafted URL that contains the email would be: "phishingpage[.]site/login.html#victim@company.com." 

On the off chance that the victim clicks on the URL, LogoKit at that point brings the organization logo from a third-party service, for example, marketing data engine Clearbit or Google's database for favicons (the graphic icons associated with particular webpages). 

Besides, since LogoKit is a collection of JavaScript files, its assets can likewise be facilitated on public trusted services like Firebase, GitHub, Oracle Cloud, and others, the greater part of which will be whitelisted inside corporate environments and trigger little alerts when loaded inside an employee's browser. RiskIQ said it is following this new threat intently because of the kit's simplicity, which the security firm accepts improves its odds of an effective phish.