Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/27/2021
06:15 AM
50%
50%

LogoKit Group Aims for Simple Yet Effective Phishing

A phishing kit that uses embedded JavaScript targeted the users of more than 300 sites in the past week, aiming to grab credentials for SharePoint, Adobe Document Cloud, and OneDrive.

A relatively new phishing kit uses embedded JavaScript to dynamically change elements of spoofed webpages to more easily fool users.

The adoption of the phishing tool, called LogoKit, has seemingly accelerated, with 700 domains running the kit in the past month — 300 of those in only the last week — and targeting users of popular domains, such as Microsoft SharePoint and OneDrive, according to an analysis by cybersecurity firm RiskIQ. The attack tool is both simple and versatile, integrating with the presentation elements of a webpage and allowing it to change the look and feel of the website on the fly, the company said.

Related Content:

Web Application Attacks Double from 2019: Verizon DBIR

Special Report: 2021 Top Enterprise IT Trends

New From The Edge: Learn SAML: The Language You Don't Know You're Already Speaking

In addition, its strategy of using legitimate services to host site elements makes the phishing sites harder to detect, says Adam Castleman, threat researcher at RiskIQ.

"Its flexibility in being able to be adapted into multiple social engineering pretexts in only a few lines of JavaScript and HTML is what makes this interesting," he says. "Attackers can host their collection script for stealing credentials on any third-party server while hiding one or multiple pretexts on legitimate or compromised Web services."

Phishing continues to be one of the most used tactics among attackers to kick off an attack, second only to the use of stolen credentials. Attackers used phishing in 22% of successful breaches and used or stole credentials in 37% of successful breaches, according to the annual Verizon Data Breach Report (DBIR)

"Phishing has been — and still remains — a fruitful method for attackers," the DBIR states. "The good news is that click rates are as low as they ever have been — 3.4% — and reporting rates are rising, albeit slowly." 

Google's Threat Analysis Group announced this week that North Korean hackers had used social engineering to fool some security researchers into connecting on social media and, in some cases, downloading malware.

As a simple and flexible toolkit with templates for major online services, LogoKit could make a larger number of users vulnerable to phishing attacks, especially with the toolkit's ability to use different delivery methods, such as compromised sites, attacker-hosted infrastructure, and object storage, RiskIQ states in its report.

The toolkit is not technically sophisticated but is well-thought-out, says Castleman.

"While not overly complex, one of the more interesting facets of LogoKit is the use of legitimate object hosting providers, such as Amazon S3, in an attempt to bypass common email and network filtering," he says.

RiskIQ has found examples of the toolkit targeting — among other services — SharePoint, Adobe Document Cloud, OneDrive, Office 365, Google Firebase portals, Amazon object storage, and Digital Ocean object storage. The use of legitimate services may make phishing pages harder to spot, RiskIQ says. 

If a victim enters his credentials into the displayed login page, LogoKit will send the information to an attacker-controlled server and then redirect the user to the legitimate site, which LogoKit has mimicked. In some cases, the attacker may require the user to re-enter their password — perhaps as a check that the password is correct. 

LogoKit is not the only phishing campaign to use JavaScript in creative ways. In October, Akamai found that a larger volume of phishing attacks used JavaScript as a way to obfuscate the intent of any files or scripts in the e-mail.

Companies should focus on security-awareness training for employees because the URLs generated by LogoKit use legitimate services and could easily bypass existing security measures. RiskIQ recommends that site administrators regularly review their content management systems for updates to catch any changes made by the phishing toolkit as well as look for injected code.

"Companies should ensure that users are aware of common phishing tactics and to always verify communications regarding their accounts with corporate IT departments," Castleman says. "As LogoKit users can send links to commonly used services, this increases the potential success of bypassing spam filters."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31607
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...