Threat actors (TA) leveraged Open Redirect Vulnerabilities in online services and apps to bypass spam filters and deliver phishing content, according to new data from cybersecurity researchers Resecurity.
In particular, the TA would have used highly trusted service domains like Snapchat and other online services to create special URLs that then lead to malicious resources with phishing kits.
Resecurity said the tools used as part of these attacks were part of LogoKit, which was previously used in attacks against several financial institutions and online services internationally.
“The spike of LogoKit has been identified around the beginning of August, when multiple new domain names impersonating popular services had been registered and leveraged together with Open Redirects,” the advisory read.
“While LogoKit is known for a while in the underground, at least since 2015, the cybercrime group behind it is constantly leveraging new tactics.”
Once the victim navigates to the URL, their email is then auto-filled in the email or username field, tricking them into believing they’ve logged into the service before.
Should the victim then enter their password, LogoKit then performs an AJAX request, sending the target’s email and password to an external source, then finally redirecting the victim to their “legitimate” corporate website.
As of November 2021, Resecurity said there were over 700 identified domain names used in campaigns leveraging LogoKit, but the company believes their number is constantly growing.
“These tactics allow cyber-criminals to masquerade their activity behind the notifications of legitimate services to evade detection,” Resecurity explained.
“Unfortunately, the use of Open Redirect vulnerabilities significantly facilitates LogoKit distribution, as many (even popular) online services don’t treat such bugs as critical, and in some cases – don’t even patch, leaving the open door for such abuse.”
For information on how to fend off most phishing attacks, you can read this analysis on Infosecurity Magazine from Drew Rose, co-founder of Living Security.