LogoKit Phishing Campaign
Share this:
Researchers have found, Threat actors makes use of Open Redirect Vulnerabilities in online services and apps to bypass spam filters and deliver phishing content.
Threat actors used highly trusted service domains like Snapchat and other online services to create special URLs that then lead to malicious resources with phishing kits. The tools used as part of these attacks were part of LogoKit, which was previously used in attacks against several financial institutions and online services internationally.
LogoKit usage spike has been identified around the beginning of this month, when multiple new domain names impersonating popular services had been registered and leveraged together with Open Redirects, While LogoKit is known for a while in the underground, at least since 2015, the cybercrime group behind it is constantly leveraging new tactics.
LogoKit is based on the JavaScript programming language and can change logos and text on landing pages in real-time to make interaction with targeted victims more likely.
Once the victim navigates to the URL, their email is then auto-filled in the email or username field, tricking them into believing they’ve logged into the service before. Once the victim enters their password, LogoKit then performs an AJAX request, sending the target’s email and password to an external source, then finally redirecting the victim to their legitimate corporate website.
The use of Open Redirect vulnerabilities significantly facilitates LogoKit distribution, as many online services don’t treat such bugs as critical, and in some cases don’t even patch, leaving the open door for such abuse.
This research was documented by Resecurity researchers
