Phishing kit found on over 700 popular domains

Read time 2min 50sec

RiskIQ has discovered a new phishing kit on more than 700 domains over the last 30 days. The kit effectively clones pages in real-time to trick users into believing an e-mail link they get is from an official source, but allowing multiple e-mails to impersonate different businesses.

Targeted services range from generic login portals to false SharePoint portals, Adobe Document Cloud, OneDrive, Office 365, and crypto-currency exchanges. 

Dubbed LogoKit, the tool is designed to be fully modularised, enabling easy reuse and adaptation by other bad actors.

In addition, unlike many other phishing kits that take advantage of complex layouts and multiple files, the LogoKit family is an embeddable set of JavaScript functions. It is designed to interact within the Document Object Model, or a site’s presentation layer. In this way, the script has the ability to dynamically alter the visible content and HTML form data within a page without user interaction, says Adam Castleman, a researcher at RiskIQ.

“In the case of LogoKit, a victim is sent a specially crafted URL containing their e-mail address. Once a victim navigates to the URL, LogoKit fetches the company logo from a third-party service, such as Clearbit or Google’s favicon database,” he explains. “The victim's e-mail is also auto-filled into the e-mail or username field, tricking victims into feeling like they have previously logged into the site. Should a victim enter their password, LogoKit performs an AJAX request, sending the target’s e-mail and password to an external source, and, finally, redirecting the user to their corporate web site.”

According to Castleman, RiskIQ has tracked LogoKit being used in simple login forms and embedded into more complex HTML documents pretending to be other services. Due to its simplicity, malefactors can easily compromise sites and embed their script or host their own infrastructure.

In certain instances, threat actors have been seen using legitimate object storage buckets, enabling them to appear less malicious by having users navigate to a known domain name.

We can now expect to see increasing numbers of brands being used by attackers, making it harder to pre-warn consumer about specific scams.

Ray Walsh, ProPrivacy

According to Ray Walsh, digital privacy expert at ProPrivacy, LogoKit is causing a great deal of concern. “We already know that consumers are actively being victimised with this novel off-the-shelf phishing kit.”

He says what is unique about this kit is that it is extremely modular and allows hackers to mount large numbers of attacks at numerous targets much easier than in the past. “This increases the potential for phishing attacks causing greater risks for consumers.”

According to Walsh, LogoKit’s success means we can now expect to see increasing numbers of brands being used by attackers, making it harder to pre-warn consumer about specific scams as an when they appear.

“Consumers should be reminded to think carefully before they enter their credentials into a website form, even if that form looks genuine, if they accessed it via a link in an unsolicited e-mail,” Walsh adds.

He advises users to always navigate directly to the services they want to use and check the URL bar for the HTTPS prefix and padlock to ensure that they are visiting the genuine domain.

See also