As sophisticated attacks dominate the headlines, it’s important to remember that the vast majority of cybercrime results from simple, effective, and tested tools. These tools are easy to use and accommodate a wide range of attacker skill levels. The LogoKit phishing kit, which RiskIQ has detected running on more than 300 unique domains in the past week and 700 over the past month, is a prime example.
LogoKit is More than Meets the Eye
LogoKit operators send victims a personalized, specially crafted URL containing their email address. Once a victim navigates to the URL, LogoKit fetches the desired company logo from a third-party service, such as Clearbit or Google’s favicon database. The victim email is also auto-filled into the email or username field, tricking victims into thinking it’s a familiar site they’ve already visited and logged into. In some cases, attackers use legitimate object storage buckets, i.e., Google Firebase, which helps their operation appear less suspicious because it sends users to a domain name they recognize.
Should a victim enter their password, LogoKit performs an AJAX request sending their email and password to an attacker-owned server before finally redirecting the user to the corporate website they intended to visit when clicking the URL. However, some LogoKit versions will play additional tricks, such as telling a user that their password is incorrect and prompting them to enter the password again. Another AJAX request can then perform new tasks, such as sending the credentials to the attacker’s email.
For Phishing, Simpler is Better
LogoKit is ingenious in its simplicity. It’s fully modularized, allowing for effortless reuse and adaptation by other threat actors without the need for changing templates. The LogoKit script itself even makes it easy for attackers to compromise websites to embed malicious scripts or host attacker infrastructure—RiskIQ has observed websites hosting LogoKit variants via compromised WordPress instances.
LogoKit is also powerful in its versatility. It can be used in simple login forms or embedded into more complex HTML documents pretending to be legitimate services. This ability to disguise as or blend into almost any site makes it popular with attackers who have targeted a wide range of victims. RiskIQ has observed LogoKit mimicking organizations across several sectors, including financial, legal, and entertainment.
RiskIQ has observed LogoKit operators targeting various services, ranging from generic login portals to SharePoint, Adobe Document Cloud, OneDrive, Office 365, and Cryptocurrency exchanges. In using only widely used services, threat actors ensure blocking LogoKit will be tricky. For example, blocking Amazon’s object storage outright would likely lead to availability issues for legitimate web browsing.
Other services targeted by LogoKit observed by RiskIQ include:
- glitch.me: Application Deployment Platform
- appspot.com: Google Cloud Platform
- web.app: Google Firebase
- firebaseapp.com: Google Firebase
- storage.googleapis.com: Google Cloud Storage
- firebasestorage.googleapis.com: Google Firebase Storage
- s3.amazonaws.com: Amazon S3 Object Storage
- csb.app: Google CodeSandbox
- website.yandexcloud.net: Yandex Static Hosting
- github.io: GitHub Static Page Hosting
- digitaloceanspaces.com: DigitalOcean Object Storage
- oraclecloud.com: Oracle Object Storage
Vigilance is Key Against LogoKit
As mentioned above, many attacks using LogoKit involved preformatted URLs sent to victims, which emphasizes the importance of security awareness and phishing training for users. The following redacted URL serves as an example LogoKit phish link observed within RiskIQ’s data:
Because threat actors can easily embed LogoKit payloads inside legitimate pages or create subdirectories for LogoKit deployment, site administrators should regularly review their CMS for updates. They should also be on top of web applications’ login pages’ integrity by looking for injected code.
To read the original article: