Threat intelligence firm RiskIQ announced that they discovered a new toolkit that is able to change logos and text on a phishing page in real-time to adapt to victims. The phishing kit, dubbed LogoKit, is designed to be fully modularized. It is an embeddable set of JavaScript functions and also allows for easy reuse and adaptation by others. The kit is designed to interact within the Document Object Model, which allows for the script to dynamically adapt the visible content and HTML form data without user interaction.
700 unique domains with LogoKit
Attackers send the victim a specially crafted URL containing their email address. When the victim clicks the link, the tool fetches the company logo from a third-party service, such as Clearbit or Google’s favicon database, and auto-fills the email field with the victim’s email, which creates a feeling as they have previously logged into the site. When the user enters their password, it performs an AJAX request and sends the email and password to an external source then redirects the user to their corporate website.
According to RiskIQ’s announcement, they have observed more than 700 unique domains running with LogoKit. The company also stated that due to its simplicity, attackers can easily compromise sites and embed their script or host their own infrastructure. According to the statement, the following services have been observed in use by the phishing:
- glitch.me: Application Deployment Platform
- appspot.com: Google Cloud Platform
- web.app: Google Firebase
- firebaseapp.com: Google Firebase
- storage.googleapis.com: Google Cloud Storage
- firebasestorage.googleapis.com: Google Firebase Storage
- s3.amazonaws.com: Amazon S3 Object Storage
- csb.app: Google CodeSandbox
- website.yandexcloud.net: Yandex Static Hosting
- github.io: GitHub Static Page Hosting
- digitaloceanspaces.com: DigitalOcean Object Storage
- oraclecloud.com: Oracle Object Storage