This means, the phishing kit can be repurposed dynamically, across any number of domains as the need to manually imitate the website design by threat actors is now eliminated. A threat actor can, for example, use the same phishing URL to phish victim email addresses registered to virtually any domain.
On demand phishing page generation
One of the phishing messages analysed in this campaign is shown below. The email falsely claims to the recipient that incoming email messages are being quarantined and the issue must be “resolved.”
Clicking on the “Resolve Messages…” link leads you to a phishing webpage, URL for which contains the email address that the phishing message was sent to.
For example, if your email address is email@example.com and this is where the phishing email had arrived, the URL to phishing webpage would contain that email address. And both the logo for the phishing form and the background are generated based on the domain “microsoft.com” on the fly:
But, had the email arrived at say firstname.lastname@example.org, the form logo and webpage background would now be automatically changed to reflect Google’s look and feel.
In another test below, we switched the email@example.com email address to firstname.lastname@example.org. Notice the background and phishing form logo change.
As evident from the screenshots above, the campaign is using Amazon AWS and web3.storage to host phishing webpages.
Logobit and Thum.io used for generating graphics
The client-side code seen by Security Report in the phishing pages indicates it is using Thum.io, a website screenshot generator service to generate the page background—based on the domain of the victim’s email address.
Further, Clearbit is used for fetching the appropriate logo image for the webform.
August this year, LA-based cybersecurity firm Resecurity analysed a phishing kit dubbed LogoKit that also made use of Clearbit to fetch the company logo.
“LogoKit relies on sending users phishing links that contain their email addresses. Once the victim navigates to the URL, LogoKit fetches the company logo from a third-party service, such as Clearbit or Google’s favicon database,” explained Resecurity researchers.
The phishing campaign observed by us this week takes LogoKit’s tactics a step further but combining these with dynamic background image generation based on the target victim’s domain.
As always, it’s a good practice to be wary of emails you receive, and to refrain from opening suspicious links or attachments within them.