A Tool Developed By A Cybercrime Group Creates Phishing Pages in Real-Time

A novel phishing toolkit has been developed by a cybercrime group that has the capabilities to change the logos and text of a phishing page in real-time to adjust with the environments of the targeted casualties. This phishing toolkit, named LogoKit, has already been conveyed in the wild as indicated by threat intelligence firm RiskIQ who has been following its development for a long time.

The organization on its community forum, said it recently found that LogoKit has already been installed on almost 300 domains, over the previous week, and around 700 websites over the previous month. The cybersecurity organization said that LogoKit depends on sending phishing links to clients that contain email addresses of the clients itself.

Adam Castleman, a cybersecurity researcher at RiskIQ, in an article published on Wednesday, said “In the case of LogoKit, a victim is sent a specially crafted URL containing their email address. Once a victim navigates to the URL, LogoKit fetches the company logo from a third-party service, such as Clearbit or Google’s favicon database.”

“The victim email is also auto-filled into the email or username field, tricking victims into feeling like they have previously logged into the site. Should a victim enter their password, LogoKit performs an AJAX request, sending the target’s email and password to an external source, and, finally, redirecting the user to their corporate web site.”

LogoKit accomplishes this just with an embeddable arrangement of functions of JavaScript which can be added to any nonexclusive login structure or complex HTML documents. This is not quite the same as standard phishing kits, the vast majority of which need pixel-perfect formats mirroring an organization’s verification pages.

The kit’s measured quality permits LogoKit administrators to focus on any organization they need with almost no customization work and mount many assaults in a week against a wide-running arrangement of targets. RiskIQ said that in the previous month, it has seen LogoKit being utilized to mirror and make login pages for administrations going from nonexclusive login pages to bogus SharePoint entryways, Adobe Document Cloud, OneDrive, Office 365, and a few cryptocurrency money trades.

Since LogoKit is so little, the phishing unit doesn’t generally require its own heavy and complex server arrangements, as some other phishing kits need. The kit can be facilitated on hacked websites or genuine pages of the organization which LogoKit administrators want to target.

Besides, since LogoKit is an assortment of JavaScript files, its assets can likewise be facilitated on open, the public trusted administrations like Firebase, GitHub, Oracle Cloud, and others, a large portion of which will be whitelisted inside professional workspaces and trigger very little alarms when stacked inside a representative’s browser. RiskIQ explained that it is following this new threat intently because of the kit’s straightforwardness, which the security firm assumes, serves to improve its odds of fruitful phishing.

RiskIQ concluded by saying, “the LogoKit presents a unique opportunity for attackers, allowing for easy integration into either existing HTML pretext templates or building simple login forms to mimic corporate login portals. Also, with the flexibility of either leveraging compromised infrastructure, attacker-hosted infrastructure, or object storage, attackers can quickly change their delivery source.”

“With LogoKit’s intended functionality to be centered around singular emails per URL and extracting company logos, this dramatically improves ease of carrying out targeted attacks against organizations; and reusing pretexts without changing templates. LogoKit continues the trend of attacking with simplicity and small footprints. In executing only a few lines of customizable JavaScript and loading resources from trusted sources, such as Google Firebase, LogoKit increases its chances of success.”

If you like this article, follow us on Twitter, Facebook, Instagram, and LinkedIn.