We recently analyzed LogoKit, a simple, modularized, and adaptable phish kit running on thousands of domains. Easy to use and able to accommodate a wide range of attacker skill levels, LogoKit is a hot commodity on the black market.
LogoKit's popularity has given rise to enterprising threat actors who manufacture, package, and sell the kit to meet a strong and still growing demand among cybercriminals worldwide. However, these crimeware purveyors are more than just cybercriminals; they're also expert marketers who use social media sites, web forums, and messaging apps to build their brand, advertise their product, and streamline transactions.
After analyzing LogoKit itself last week, we took a closer look at the infrastructure and criminal enterprise behind it. The resulting investigation illuminated a massive phishing ecosystem and thriving crimeware economy driven by a high demand for simple, effective phishing tools. Below, we'll look at a major player in the sale of LogoKit.
The Business of LogoKit
The actors behind the sale of LogoKit also offer a wide range of other illicit products and services, including malicious documents, information-stealing malware, financial and personal data, bulletproof hosting, and more. Just like the sale of a legitimate product, branding, marketing, and prospecting for new customers on the black market is essential. While analyzing compromised sites hosting the kit, a recurring naming scheme in some of the URLs led RiskIQ researchers to their first glimpse at a popular LogoKit marketing term, 'FUD.'
Analyzing sites with the naming scheme "adobe-RD28" in the URL eventually led researchers to a compromised WordPress site with the original LogoKit phish kit zip file exposed. This file contained an email address, fudpages@gmail[.]com, which operatives used for receiving harvested stolen credentials—via WHOIS, this email address linked to several webpages and accounts on various messaging platforms, including Telegram, that the LogoKit actors use for marketing.
In this case, "FUD" is slang for "fully undetected." As more domain names, usernames, and emails connected to the group surfaced, it became clear these LogoKit salesmen use the term as a legitimate business uses a trademarked catchphrase. The actors repeatedly associate the FUD brand with their products and offerings.
The actors behind the FUD messaging are multichannel marketers and use various services for their sales and marketing endeavors. For instance, our research noted the actors offering several options for customers to communicate with them, including WhatsApp, ICQ, Telegram, and even Skype, while analyzing their web pages.
Example of a LogoKit Marketing page, complete with 'FUD' messaging
RiskIQ's Internet Intelligence Graph also led our researchers to an actor-controlled YouTube account promoting the actor’s goods and services that appears on several FUD-‘branded’ web pages. The YouTube channel lists fudpages@gmail[.]com, the same email address as the Telegram account and zipped phish kit file mentioned above.
More LogoKit Marketing Strategies
More search results for the "adobe-RD28" naming convention led us to the name of a potential second actor publicly selling LogoKit. Through open-source intelligence, researchers connected the name 'xBugs' to several web pages and user accounts on different messaging platforms, social media sites, and message boards advertising their malicious services and products.
One of these Telegram accounts, ‘xBugsOfficial,’ is listed as the contact for the open Telegram group ‘incrediblehazard,’ which offers banking, credit card, and other payment and personal data for sale via direct message to its 1,230 members. The actor behind these Telegram groups used them to advertise black hat services on forums with the username 'Xbugs' and 'Black_Hat_Arab.'
The actor behind xBugs was active on Twitter from January 2015 through November 2017 using the handle @freshspamtoolsd, so we know their activity went back at least that far. The account advertised many different products and services for sale, such as botnet access, keyloggers, and phishing pages for financial information.
The LogoKit Ecosystem
RiskIQ's systems enabled our researchers to acquire a sample of LogoKit from part of a phishing URL. Our Internet Intelligence Graph then helped make connections between the kit and large swaths of threat infrastructure, including hundreds of domains, a dedicated IP address, webpages, and messaging platform accounts controlled by LogoKit actors, some dating back to 2015.
Currently, RiskIQ connects LogoKit to more than 300 domains. Most of them are hidden behind Cloudflare hosting, but several have been hosted on a dedicated IP since August 2020. Many of the webpages tied to these domains come from a standard template and contain articles promoting various products and services alongside links to accounts or groups on messaging services such as WhatsApp, Skype, ICQ, and Telegram.
LogoKit actors have been active since at least 2015 when Brian Krebs wrote an article about a phishing group connected to manipulaters[.]com. This organization offers DNS and other services to dubious groups.
Since 2015, RiskIQ's infrastructure analysis shows various LogoKit actors providing DNS for at least 2,300 phishing pages through these domains. We've observed these pages in web and SMS attacks posing as Canadian and UK tax organizations and financial institutions. They also facilitate other malicious activities.
Scale Your Defenses Against LogoKit
LogoKit is a simple, flexible tool that leaves a small digital footprint, and its ease of use makes successful attacks possible for threat actors across a broad spectrum of skill levels. In executing only a few lines of customizable JavaScript and loading resources from trusted sources, LogoKit operators have a high rate of success. Its popularity has built demand and given rise to a LogoKit economy with key players that employ different marketing strategies to reach customers with the hopes of growing their business.
LogoKit’s infrastructure encompasses hundreds of domains and thousands of pages. RiskIQ's Internet Intelligence Graph gives security teams a universal view of the internet and is now detecting LogoKit code on a global scale. It also gives our customers a full-stack view of their organization's attack surface, including changes to JavaScript that may indicate LogoKit code's presence. RiskIQ's crawls of our customers' web properties give them insight into what's happening on a web server at any given time and how that server would interact with a real user.
Visit our Threat Intelligence Portal for the full technical analysis of LogoKit and the criminal enterprise that makes and sells it, as well as more information about how RiskIQ is detecting this highly successful breed of phishing kit.
Also, Be sure to join our next Threat Hunting workshop on February 18th. In this hands-on virtual session, our RiskIQ Labs team will demonstrate how to identify and scale threat investigations against LogoKit. Additionally, we’ll share attribution details on who’s behind the attack and fingerprint their online resource—so you can defend your organization.
To find out how RiskIQ can defend your organization's digital attack surface, get started today.
