KALI

Hackers Use Open Redirect Vulnerabilities in Online Services to Deliver Phishing Content

Researchers at Resecurity noticed threat actors leveraging Open Redirect Vulnerabilities which is popular in online services and apps to evade spam filters to deliver phishing content. Trusted service domains like Snapchat and other online services make special URLs that lead to malicious resources with phishing kits.

The kit identified is named ‘LogoKit’ that was earlier used in attacks against Office 365, Bank of America, GoDaddy, Virgin Fly, and other financial institutions and online services.

LogoKit – Phishing Kit

LogoKit is well-known for its dynamic content generation using JavaScript. It can change logos of the impersonated service and text on the landing pages in to adapt on the fly. Therefore, the targeted victims will possibly interact with the malicious resource.

The analysis says in November 2021, there were more than 700 identified domain names used in campaigns leveraging LogoKit and it goes on to increase.

Researchers say in this case, the actors choose to use domain names in exotic jurisdictions with relatively poor abuse management process – .gq, .ml, .tk, ga, .cf or to gain unauthorized access to legitimate WEB-resources, and then use them as hosting for further phishing distribution.

LogoKit operators send victims a personalized, specially crafted URL containing their email address. Once a victim navigates to the URL, LogoKit fetches the desired company logo from a third-party service, such as Clearbit or Google’s favicon database.

LogoKit targeting Office 365 users
Example of an email containing text and a link with an embedded link inside it

The embedded link is leveraging Open Redirect Vulnerability in Snapchat, and another URL from Google leads to a phishing resource.

 The victim email is also auto-filled into the email or username field, tricking victims into thinking it’s a familiar site they’ve already visited and logged into. LogoKit performs an AJAX request sending their email and password to an attacker-owned server before finally redirecting the user to the corporate website they intended to visit when clicking the URL.

The threat actors without the need for changing templates, the LogoKit script itself will assist to embed malicious scripts or host attacker infrastructure. 

“Unfortunately, the use of Open Redirect vulnerabilities significantly facilitates LogoKit distribution, as many (even popular) online-services don’t treat such bugs as critical, and in some cases – don’t even patch, leaving the open door for such abuse”, Resecurity

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Guru baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Beware Of Weaponized Air Force invitation PDF Targeting Indian Defense And Energy Sectors

EclecticIQ cybersecurity researchers have uncovered a cyberespionage operation dubbed "Operation FlightNight" targeting Indian government entities and energy companies.  The attackers,…

1 hour ago

WarzoneRAT Returns Post FBI Seizure: Utilizing LNK & HTA File

The notorious WarzoneRAT malware has made a comeback, despite the FBI's recent efforts to dismantle its operations. Initially detected in…

1 hour ago

Google Revealed Kernel Address Sanitizer To Harden Android Firmware And Beyond

Android devices are popular among hackers due to the platform’s extensive acceptance and open-source nature. However, it has a big…

2 hours ago

Compromised SaaS Supply Chain Apps: 97% of Organizations at Risk of Cyber Attacks

Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation, and growth. However, this shift towards…

2 hours ago

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed light on the growing concerns within…

5 hours ago

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse engineering .NET malware.  The write-up outlines…

6 hours ago