Threat actors repurpose Open Redirect vulnerabilities to bypass spam filters and deliver the LogoKit phishing content using trusted domains such as Snapchat and Google. LogoKit dynamically generates landing pages, steals credentials, and leverages compromised hosting across exotic domains to evade detection and target services like Office 365, Bank of America, GoDaddy, and Virgin Fly. #LogoKit #OpenRedirect #Snapchat #Office365 #BankOfAmerica #GoDaddy #VirginFly
Keypoints
- LogoKit exploits Open Redirect vulnerabilities to bypass anti-spam controls and deliver phishing pages.
- Phishing domains impersonate trusted services and are hosted on compromised or exotic hosting to avoid abuse filters.
- The kit uses JavaScript-driven dynamic content to modify logos and text on landing pages in real time.
- Credential harvesting occurs via web forms: emails auto-fill, and passwords are sent to external servers through AJAX before redirecting to the legitimate site.
- LogoKit campaigns have a long history (since 2015) with rapid expansion, including hundreds of domains in recent campaigns.
- Targeted templates include impersonations of Office 365, Bank of America, GoDaddy, Virgin Fly, and other major services.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link – The embedded link uses Open Redirect Vulnerability to direct victims to a phishing resource. Quote: “The embedded link is leveraging Open Redirect Vulnerability in Snapchat, and another URL from Google leading to a phishing resource:”
- [T1566.003] Phishing: Spearphishing via Service – Impersonation of trusted services (e.g., Snapchat, online services) to host phishing resources. Quote: “Using highly trusted service domains like Snapchat and other online-services, they create special URLs which lead to malicious resources with phishing kits.”
- [T1036] Masquerading – Activity is hidden behind legitimate service notifications to evade detection. Quote: “these tactics allow cybercriminals to masquerade their activity behind the notifications of legitimate services to evade detection.”
- [T1027] Obfuscated/Compressed Files and Information – LogoKit content is obfuscated on landing pages. Quote: “The content of the pages generated by LogoKit is typically obfuscated.”
- [T1056.003] Credentials in Web Forms – Victims’ emails auto-filled and passwords captured via AJAX to an external source. Quote: “The victim’s email is then auto filled in the email or username field … Should the victim then enter their password, LogoKit performs an AJAX request, sending the target’s email and password to an external source.”
- [T1041] Exfiltration Over C2 Channel – Credentials exfiltration to an external server via AJAX before redirection. Quote: “…sending the target’s email and password to an external source, then finally redirecting the victim to their ‘legitimate’ corporate website.”
Indicators of Compromise
- [Domain] – fleek.co, parquedelprado.com.do, web.app, csb.app, us.archive.org, ia801507.us.archive.org, gl1hz.csb.app, cerstts.ga/100/wgbground
- [URL] – https://storageapi.fleek.co/0ad91b1c-9994-4a1d-bf88-18cf07dbaf52-bucket/continue.html?#[email protected], https://click.snapchat.com/aVHG?=http://29781.google.com&af_web_dp=http://bz.pn83f.parquedelprado.com.do.#.aHR0cHM6Ly9zdG9yYWdlYXBpLmZsZWVrLmNvLzBhZDkxYjFjLTk5OTQtNGExZC1iZjg4LTE4Y2YwN2RiYWY1Mi1idWNrZXQvY29udGludWUuaHRtbD8jY29udGFjdEByZXNlY3VyaXR5LmNvbQ==
- [URL] – http://bz.pn83f.parquedelprado.com.do, https://storageapi.fleek.co/0ad91b1c-9994-4a1d-bf88-18cf07dbaf52-bucket/continue.html?#[email protected]
- [Email Address] – [email protected], [email protected]
- [Document/File/Other] – 2 more related domain hosting references and related URL scans such as https://urlscan.io/result/94a6995d-fa52-4007-acca-06a7effd168c/related/