A cybercrime group has developed a novel phishing toolkit that changes logos and text on a phishing page in real-time to adapt to targeted victims.
Named LogoKit, this phishing tool is already deployed in the wild, according to threat intelligence firm RiskIQ, which has been tracking its evolution.
The company said it already identified LogoKit installs on more than 300 domains over the past week and more than 700 sites over the past month.
The security firm said LogoKit relies on sending users phishing links that contain their email addresses.
“Once a victim navigates to the URL, LogoKit fetches the company logo from a third-party service, such as Clearbit or Google’s favicon database,” RiskIQ security researcher Adam Castleman said in a report on Wednesday.
“The victim email is also auto-filled into the email or username field, tricking victims into feeling like they have previously logged into the site,” he added.
“Should a victim enter their password, LogoKit performs an AJAX request, sending the target’s email and password to an external source, and, finally, redirecting the user to their [legitimate] corporate web site.”
Castleman said LogoKit achieves this only with an embeddable set of JavaScript functions” that can be added to any generic login form or complex HTML documents.
This is different from standard phishing kits, most of which need pixel-perfect templates mimicking a company’s authentication pages.
The kit’s modularity allows LogoKit operators to target any company they want with very little customization work and mount tens or hundreds of attacks a week against a wide-ranging set of targets.
RiskIQ said that over the past month, it has seen LogoKit being used to mimic and create login pages for services ranging from generic login portals to false SharePoint portals, Adobe Document Cloud, OneDrive, Office 365, and several cryptocurrency exchanges.
Because LogoKit is so small, the phishing kit doesn’t always need its own complex server setup, as some other phishing kits need. The kit can be hosted on hacked sites or legitimate pages for the companies LogoKit operators want to target.
Furthermore, since LogoKit is a collection of JavaScript files, its resources can also be hosted on public trusted services like Firebase, GitHub, Oracle Cloud, and others, most of which will be whitelisted inside corporate environments and trigger little alerts when loaded inside an employee’s browser.
RiskIQ said its tracking this new threat closely due to the kit’s simplicity, which the security firm believes helps improve its chances of a successful phish.