A new phishing tool variant has been unravelled by cybersecurity researchers that ran rampant globally in the past months. The researcher’s statistics report shows that LogoKit has already been seen on more than 700 sites in the past few months and more than 300 domains a few weeks ago. The phishing tool is said to be taking advantage of users’ vulnerability to cautiously inspect the authenticity of the portals they are being redirected, which may result in their credentials being stolen by an unknown adversary.
LogoKit caught the researchers’ eye for its customizable and straightforward structure that with a few tweaks from the adversary can quickly adapt to successfully lure its target victim.
Based on the submitted analysis, the application consists of piled javascript files that are hooked up to Clearbit and Google’s favicon database for logo fetching of the targeted company. Other feature of the tool includes being independent of any server setup reliability, unlike other similar application which makes it for the adversary to embed or blend it with HTML templates to disguise as the company login portal of the intended victim. With its other compressed file package feature, an adversary can easily integrate it to legitimate websites or domains.
According to the report, the intrusion starts with a spear-phishing email sent to the victim with a URL containing their email address. Once the intended victim opens the link, the phishing tool will automatically connect to the Clearbit/Google favicon database to fetch the company logo where the intended victim is employed. Then embeds it on an HTML template to create a fake login portal that mimics the victim’s online login access to their company. The username is already auto-filled with the victim‘s email address to give the victim the impression that they already accessed the URL to bypass any doubts on the page authenticity. Once the password has been entered, the tool will automatically capture it, and the stolen credentials will be delivered to the adversaries’ email address. The victim will then be redirected to their real company domain.
The Logokit has been spotted mostly in Google services platforms such as Firebase, Cloud, Sandbox, and other storage and application services of Github, Yandex, Amazon, Oracle, and DigitalOcean. Other hosting companies and legitimate websites that were mostly created via WordPress have also been infected by LogoKit. This is from the usual login portals targeted by adversaries like Office 365, Cryptocurrency, Sharepoint, and Adobe.
Recommendation to mitigate possible intrusion includes regular scanning of the CMS (Content Management System) platform of web administrator to check for any suspicious or injected contents on their website. Enforcing a multi-factor authentication or using the OTP login process is also a must as this adds more security in accessing the company network. But more importantly, is to provide proper awareness to everyone about the current scheming tactics of these adversaries with a constant reminder of being vigilant and cautious in opening anything from the email or the web.