Cybercriminals are taking advantage of open redirect flaws in online services and apps to bait unsuspecting users through phishing. The aim behind the abuse of these flaws is to bypass spam filters and harvest credentials.

LogoKit campaigns

Findings by Resecurity revealed that the attackers—through trusted domains and services (such as Snapchat)—create special URLs used to redirect victims to malicious pages hosting LogoKit.
  • An increase in LogoKit activities was spotted at the beginning of August when various new domain names impersonating well-known services were registered and used along with open redirects.
  • LogoKit has been active since 2015 and is found employing new tactics regularly. As of November 2021, there were over 700 identified domain names used in the LogoKit campaign, and this number is growing regularly.

How does the kit work?

LogoKit, based on JavaScript, has the ability to change logos of impersonated services and text on landing pages in real-time, thus, providing better chances of luring the target for initiating interaction.
  • LogoKit attack requires the attacker to send phishing links to targeted users, which include malicious URLs, along with the victim’s email addresses.
  • Once a victim navigates to the malicious URL, its email ID is auto-filled, giving users the impression that they’ve logged into the service earlier. 
  • Now, if a victim enters a password, LogoKit performs an AJAX request and sends the email and password to an external source. 
  • In the final move, users are redirected to a legitimate website.

Ending notes

The recent use of open redirect flaws greatly facilitates LogoKit distribution in a similar manner as many other genuine online services. Thus, one of the best defenses is to educate employees on identifying cyber threats delivered using phishing emails.
Cyware Publisher

Publisher

Cyware