Hackers Use Open Redirect Vulnerabilities in Online Services to Deliver Phishing Content

Researchers at Resecurity noticed threat actors leveraging Open Redirect Vulnerabilities which is popular in online services and apps to evade spam filters to deliver phishing content. Trusted service domains like Snapchat and other online services make special URLs that lead to malicious resources with phishing kits.

The kit identified is named ‘LogoKit’ that was earlier used in attacks against Office 365, Bank of America, GoDaddy, Virgin Fly, and other financial institutions and online services.

LogoKit – Phishing Kit

LogoKit is well-known for its dynamic content generation using JavaScript. It can change logos of the impersonated service and text on the landing pages in to adapt on the fly. Therefore, the targeted victims will possibly interact with the malicious resource.

The analysis says in November 2021, there were more than 700 identified domain names used in campaigns leveraging LogoKit and it goes on to increase.

Researchers say in this case, the actors choose to use domain names in exotic jurisdictions with relatively poor abuse management process – .gq, .ml, .tk, ga, .cf or to gain unauthorized access to legitimate WEB-resources, and then use them as hosting for further phishing distribution.

LogoKit operators send victims a personalized, specially crafted URL containing their email address. Once a victim navigates to the URL, LogoKit fetches the desired company logo from a third-party service, such as Clearbit or Google’s favicon database.

LogoKit targeting Office 365 users
Example of an email containing text and a link with an embedded link inside it

The embedded link is leveraging Open Redirect Vulnerability in Snapchat, and another URL from Google leads to a phishing resource.

 The victim email is also auto-filled into the email or username field, tricking victims into thinking it’s a familiar site they’ve already visited and logged into. LogoKit performs an AJAX request sending their email and password to an attacker-owned server before finally redirecting the user to the corporate website they intended to visit when clicking the URL.

The threat actors without the need for changing templates, the LogoKit script itself will assist to embed malicious scripts or host attacker infrastructure. 

“Unfortunately, the use of Open Redirect vulnerabilities significantly facilitates LogoKit distribution, as many (even popular) online-services don’t treat such bugs as critical, and in some cases – don’t even patch, leaving the open door for such abuse”, Resecurity

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious actors…

10 hours ago

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce shoppers…

13 hours ago

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to malicious…

13 hours ago

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in 2022…

14 hours ago

Critical Laravel Vulnerability CVE-2024-52301 Allows Unauthorized Access

CVE-2024-52301 is a critical vulnerability identified in Laravel, a widely used PHP framework for building…

15 hours ago

4M+ WordPress Websites to Attacks, Following Plugin Vulnerability

A critical vulnerability has been discovered in the popular "Really Simple Security" WordPress plugin, formerly…

17 hours ago