New tool for cybercriminals creates real-time phishing pages

A cybercrime group has developed a new phishing tool that allows logos and text on a phishing page to be changed in real time to suit targeted victims.

Called “LogoKit”, this phishing tool is already deployed on the web, according to the intelligence company RiskIQ, which follows its evolution. The latter claims to have already identified LogoKit installations on more than 300 domains during the last week, and on more than 700 sites during the last month.

According to RiskIQ, LogoKit relies on sending users phishing links containing their email address. “Once a victim navigates to the URL, LogoKit retrieves the company logo from a third-party service, like Clearbit or Google’s favicon database,” says Adam Castleman, security researcher at RiskIQ , in a report released Wednesday. “The victim’s email is also auto-populated in the email or username field, giving victims the impression that they have already logged into the site,” he adds.

Target any business with very little customization work

“If a victim enters their password, LogoKit makes an AJAX request, sending the target’s email and password to an external source, and finally, redirecting the user to their website. company. “


Image: RiskIQ.

According to Adam Castleman, LogoKit achieves this with a set of JavaScript functions that can be added to any generic login form or complex HTML documents. This differs from standard phishing kits, most of which require pixel-perfect templates that mimic a company’s authentication pages.

The modularity of the kit allows LogoKit operators to target any business with very little customization work, and mount dozens or hundreds of attacks per week, against a wide range of targets.

No need for its own complex server setup

RiskIQ reports that over the past month, she saw LogoKit being used to mimic and create login pages for services ranging from generic login portals to fake SharePoint portals, Adobe Document Cloud, OneDrive, Office 365, and more. cryptocurrency exchange platforms.

Because LogoKit is lightweight, the phishing kit does not always need its own complex server setup like other phishing kits do. The kit may be hosted on hacked sites or legitimate business pages that LogoKit operators want to target.

Additionally, since LogoKit is made up of JavaScript files, its resources can also be hosted on services like Firebase, GitHub, Oracle Cloud, and others, most of which will be whitelisted in corporate environments. RiskIQ says it is monitoring this new threat closely due to the simplicity of the kit which the security company says helps improve its chances of successful phishing.

To go further on phishing

What is phishing? Everything you need to know to protect yourself from fraudulent emails

Source: .com

Back to top button