LogoKit update: The phishing kit leveraging open redirect vulnerabilities

Resecurity identified threat actors leveraging open redirect vulnerabilities in online services and apps to bypass spam filters to ultimately deliver phishing content.

LogoKit

Using highly trusted service domains like Snapchat and other online-services, they create special URLs which lead to malicious resources with phishing kits. The kit identified is named LogoKit, which was previously used in attacks against the customers of Office 365, Bank of America, GoDaddy, Virgin Fly, and many other major financial institutions and online-services internationally.

The spike of LogoKit was been identified around the beginning of August, when multiple new domain names impersonating popular services had been registered and leveraged together with open redirects. While LogoKit is known for a while in the underground, at least since 2015, the cybercrime group behind it is constantly leveraging new tactics.

LogoKit is known for its dynamic content generation using JavaScript – it is able to change logos (of the impersonated service) and text on the landing pages in real-time to adapt on the fly, by doing so the targeted victims are more likely to interact with the malicious resource. Around November 2021, there were over 700 identified domains names used in campaigns leveraging LogoKit – their number is constantly growing.

Notably, the actors prefer to use domain names in exotic jurisdictions or zones with relatively poor abuse management process – .gq, .ml, .tk, ga, .cf or to gain unauthorized access to legitimate WEB-resources, and then use them as hosting for further phishing distribution.

LogoKit relies on sending users phishing links that contain their email addresses. Once the victim navigates to the URL, LogoKit fetches the company logo from a third-party service, such as Clearbit or Google’s favicon database. The victim’s email is then auto filled in the email or username field which consequently tricks them into feeling they’ve previously logged in before. Should the victim then enter their password, LogoKit performs an AJAX request, sending the target’s email and password to an external source, then finally redirecting the victim to their “legitimate” corporate website.

These tactics allow cybercriminals to masquerade their activity behind the notifications of legitimate services to evade detection, thus tricking the victim into accessing the malicious resource.

Unfortunately, the use of open redirect vulnerabilities significantly facilitates LogoKit distribution, as many (even popular) online-services don’t treat such bugs as critical, and in some cases – don’t even patch, leaving the open door for such abuse.

Don't miss