Categories: News

Phishing kit screenshots your email domain on the fly to appear real

In a phishing campaign analysed by Security Report this week, threat actors are deploying JavaScript code within phishing webpages to generate the page’s background based on the domain associated with victim’s email address.

This means, the phishing kit can be repurposed dynamically, across any number of domains as the need to manually imitate the website design by threat actors is now eliminated. A threat actor can, for example, use the same phishing URL to phish victim email addresses registered to virtually any domain.

On demand phishing page generation

One of the phishing messages analysed in this campaign is shown below. The email falsely claims to the recipient that incoming email messages are being quarantined and the issue must be “resolved.”

Clicking on the “Resolve Messages…” link leads you to a phishing webpage, URL for which contains the email address that the phishing message was sent to.

For example, if your email address is test@microsoft.com and this is where the phishing email had arrived, the URL to phishing webpage would contain that email address. And both the logo for the phishing form and the background are generated based on the domain “microsoft.com” on the fly:

But, had the email arrived at say your-email@gmail.com, the form logo and webpage background would now be automatically changed to reflect Google’s look and feel.

In another test below, we switched the test@microsoft.com email address to victim@amazon.co.uk. Notice the background and phishing form logo change.

As evident from the screenshots above, the campaign is using Amazon AWS and web3.storage to host phishing webpages.

Logobit and Thum.io used for generating graphics

The client-side code seen by Security Report in the phishing pages indicates it is using Thum.io, a website screenshot generator service to generate the page background—based on the domain of the victim’s email address.

Further, Clearbit is used for fetching the appropriate logo image for the webform.

August this year, LA-based cybersecurity firm Resecurity analysed a phishing kit dubbed LogoKit that also made use of Clearbit to fetch the company logo.

“LogoKit relies on sending users phishing links that contain their email addresses. Once the victim navigates to the URL, LogoKit fetches the company logo from a third-party service, such as Clearbit or Google’s favicon database,” explained Resecurity researchers.

“LogoKit is known for its dynamic content generation using JavaScript – it is able to change logos (of the impersonated service) and text on the landing pages in real-time to adapt on the fly, by doing so the targeted victims are more likely to interact with the malicious resource. Around November 2021, there were over 700 identified domains names used in campaigns leveraging LogoKit – their number is constantly growing.”

The phishing campaign observed by us this week takes LogoKit’s tactics a step further but combining these with dynamic background image generation based on the target victim’s domain.

As always, it’s a good practice to be wary of emails you receive, and to refrain from opening suspicious links or attachments within them.

Ax Sharma

Ax Sharma is a Security Researcher and Tech Reporter. His works and expert analyses have frequently been featured by leading media outlets including the BBC, Business Insider, Fortune, TechCrunch, TechRepublic, The Register, WIRED, among others. Ax's expertise lies in vulnerability research, malware analysis and reverse engineering, open source software and scams investigations. He's an active community member of British Association of Journalists (BAJ) and Canadian Association of Journalists (CAJ).

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

4 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

5 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

5 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

5 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

1 year ago

Royal Mail online tracking returns — with a frustrating captcha that works half the time

Mysterious week-long outage impacting the Royal Mail tracking website is subsiding, but with caveats. Meanwhile,…

2 years ago

This website uses cookies.