Awesome!
A new report from the security company RiskIQ inform of a new phishing kit that use JavaScript to manipulate the DOM, which allows for the script to dynamically alter the visible content and HTML form data within a page without user interaction. This Phishing kit, called LogoKit has seen a significant upswing in usage over the last month.
Phishing has been on the rise lately, following the increased usage of data communication in the wake of COVID-19. This new phishing kit seem to have attracted attention lately due to its flexibility and very fast application compared to building websites manually as is the common practice.
QuoteIn the case of LogoKit, a victim is sent a specially crafted URL containing their email address. Once a victim navigates to the URL, LogoKit fetches the company logo from a third-party service, such as Clearbit or Google’s favicon database. The victim email is also auto-filled into the email or username field, tricking victims into feeling like they have previously logged into the site. Should a victim enter their password, LogoKit performs an AJAX request, sending the target’s email and password to an external source, and, finally, redirecting the user to their corporate web site.
This is both interesting and scary as it allows for very fast and dynamic application for bad elements and since it looks quite real and have your email already filled in, chances are that a lot of people will fall for this. Fortunately you often can see in the URL that something is not right. In LogoKit you can often see your email in the url, which look something like this:
phishingpage[.]site/login.html#victim@company.com
Sadly this is not a sure way to detect phishing attack as there are other ways to forward data, but if you see this then at least you know to look at the page you entered a bit more carefully.
LogoKit has seen a big increase in usage in the last month with over 700 unique domains running it. Targeted services range from generic login portals to false SharePoint portals, Adobe Document Cloud, OneDrive, Office 365, and interestingly enough Cryptocurrency exchanges. So be alert (as always) when accessing your external cloud services and portals.
Â
RiskIQ have concluded that this is a threat on the rise due to it's simplicity and ease of use.
QuoteThe LogoKit presents a unique opportunity for attackers, allowing for easy integration into either existing HTML pretext templates or building simple login forms to mimic corporate login portals. Also, with the flexibility of either leveraging compromised infrastructure, attacker-hosted infrastructure, or object storage, attackers can quickly change their delivery source. With LogoKit’s intended functionality to be centered around singular emails per URL and extracting company logos, this dramatically improves ease of carrying out targeted attacks against organizations; and reusing pretexts without changing templates.
Â
Recommended Comments
Create an account or sign in to comment