Hackers are getting smarter with the Logokit email phishing attacks using dynamic personalization.
Hackers expose millions of companies to impersonation using a specific login page with Clearbit URL personalization.
The ChatFortress team was able to replicate this demonstration page in less than 60 minutes.
You can access the Demo here:
We know that the best way to create a cybersecurity culture is through experiential learning. Therefore allowing users to play with the demonstration website helps explain these attacks. Our goal is to help make your employee’s smarter in detecting these email scams.
How to personalize page?
You can personalize the page based on the email address or domain name used in the URL. Add #email address to the URL. For example, www.ChatFortress.com/lp/login#[email protected] imports the Clearbit.com logo to the login page. And Prefills the email address to further convince targets this is a legitimate page.
This phishing attack was identified by RiskIQ on Jan 27, 2021. It’s just an example of how cybercriminals are getting smarter with their attacks. Using the same API’s legitimate companies use for website personalization to improve the effectiveness of their attacks.
You will see an increase in attacks using dynamic personalization or previously exploited data. Every web service or API that’s available to your company is also available for malicious use.
What is LogoKit?
A simple webpage phishing attack kit that allows for dynamic personalization based on the target company. The overall phish kit, dubbed LogoKit, is designed to be fully modularized, allowing for easy reuse and adaptation by other threat actors. Unlike many other phishing kits that take advantage of complex layouts and multiple files, the LogoKit family is an embeddable set of JavaScript functions. These kits are designed to interact within the Document Object Model (DOM)–the site’s presentation layer. Interacting with the DOM allows for the script to dynamically alter the visible content and HTML form data within a page without user interaction.
RiskIQ reported that over 700 companies had been targeted with this attack strategy. However, due to the use of the Clearbit API to apply a personalization. This attack strategy instantly exposes millions of companies to impersonation attacks.
Here are just a few examples:
How LogoKit Spreads?
- Initially, the attacker sends an email ID, hidden with a specially crafted malicious URL.
- Once a victim clicks on the URL, it redirects the user to a fake corporate web site.
- The victim’s email is auto-filled into the email or username field to trick the users into thinking they have previously logged into the site.
- If the victims enter their password, LogoKit sends the target’s email and password to an external source operated by threat actors.
- LogoKit allows attackers to easily compromise websites and embed the malware or malicious script in them.
The question now becomes with advertisers using dynamic personalization to get your attention. How are you going to detect the fake vs. real pages?
Sharing real world examples of attacks is how you educate your team on creating a cybersecurity culture.