Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

[Article] Logokit Phishing Kit allow near instant websites using JavaScript

Jimi Wikman

Recommended Posts

  • Owner

A new report from the security company RiskIQ inform of a new phishing kit that use JavaScript to manipulate the DOM, which allows for the script to dynamically alter the visible content and HTML form data within a page without user interaction.  This Phishing kit,  called LogoKit has seen a significant upswing in usage over the last month.

Phishing has been on the rise lately, following the increased usage of data communication in the wake of COVID-19. This new phishing kit seem to have attracted attention lately due to its flexibility and very fast application compared to building websites manually  as is the common practice.


In the case of LogoKit, a victim is sent a specially crafted URL containing their email address. Once a victim navigates to the URL, LogoKit fetches the company logo from a third-party service, such as Clearbit or Google’s favicon database. The victim email is also auto-filled into the email or username field, tricking victims into feeling like they have previously logged into the site. Should a victim enter their password, LogoKit performs an AJAX request, sending the target’s email and password to an external source, and, finally, redirecting the user to their corporate web site.

This is both interesting and scary as it allows for very fast and dynamic application for bad elements and since it looks quite real and have your email already filled in, chances are that a lot of people will fall for this. Fortunately you often can see in the URL that something is not right. In LogoKit you can often see your email in the url, which look something like this:


Sadly this is not a sure way to detect  phishing attack as there are other ways to forward data, but if you see this then at least you know to look at the page you entered a bit more carefully.

LogoKit has seen a big increase in usage in the last month with over 700 unique domains running it. Targeted services range from generic login portals to false SharePoint portals, Adobe Document Cloud, OneDrive, Office 365, and interestingly enough Cryptocurrency exchanges. So be alert (as always) when accessing your external cloud services and portals.


RiskIQ have concluded that this is a threat on the rise due to it's simplicity and ease of use.


The LogoKit presents a unique opportunity for attackers, allowing for easy integration into either existing HTML pretext templates or building simple login forms to mimic corporate login portals. Also, with the flexibility of either leveraging compromised infrastructure, attacker-hosted infrastructure, or object storage, attackers can quickly change their delivery source. With LogoKit’s intended functionality to be centered around singular emails per URL and extracting company logos, this dramatically improves ease of carrying out targeted attacks against organizations; and reusing pretexts without changing templates.


View full article

Link to comment
Share on other sites

  • Replies 0
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Please sign in to comment

You will be able to leave a comment after signing in

Sign In Now

  • Create New...