LogoKit phishing kit allows creating phishing pages in real time

LogoKit phishing kit

RiskIQ researchers said that the new LogoKit phishing kit was detected on more than 700 unique domains in the last month alone and on 300 in the last week.

Worse, this tool allows hackers to modify logos and text on phishing pages in real-time, tailoring sites for specific purposes.

LogoKit relies on sending users phishing links containing their email addresses. LogoKit pulls up the company logo from a third-party service, such as Clearbit or the Google favicon database when the victim goes to such a URL.

The victim’s email address is also automatically substituted in the email or username field so that users think they’ve visited the site before. If the victim enters their password, LogoKit makes an AJAX request, sends their email address and password to an external source, and finally redirects the user to a [legitimate] corporate site.experts write.

The malware accomplishes this through an embedded set of JavaScript functions that can be integrated into any standard login form or complex HTML documents. This is the main difference between LogoKit and other phishing kits, as most require pixel-accurate templates that mimic company-specific authentication pages.

LogoKit phishing kit

Analysts point out that modularity allows LogoKit operators to organize attacks on any company, spending a minimum of time and effort. For example, over the past month, LogoKit has created fake login pages that mimic various services, from regular login portals to fake SharePoint login pages, Adobe Document Cloud, OneDrive, Office 365, and several cryptocurrency exchanges.

Since LogoKit is very small and compact, it practically does not require complex server configuration. The kit can be placed on hacked sites or real company pages targeted by malware operators.said RiskIQ researchers.

Even worse, because LogoKit is just a collection of JavaScript files, its resources can even be hosted on Firebase, GitHub, Oracle Cloud, etc. Most of them are whitelisted in corporate environments and may appear harmless to security solutions and users.

LogoKit phishing kit allows creating phishing pages in real time

Let me remind you that Cybercriminals started using Google services more often in phishing campaigns


By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *