Threat Actors Use Online Contact Forms to Initiate Attacks
As email filters become more effective at detecting and blocking phishing messages, cybercriminals look for new ways to circumvent them. Some are now using online contact forms to open communications with their targets. Completing a contact form on a company’s website typically generates a response from an employee. Opening a dialog with that employee may provide the bad actor with the opportunity to perpetrate a variety of attacks.
In a more traditional spear-phishing attack, a threat actor impersonating a contractor and attempting to redirect funds to his account fraudulently would first need to identify and obtain the email address of a company employee who has the authority to perform this type of action. To initiate contact, the attacker would need to craft an email to that employee that would make it through the organization’s email filter.
Suppose the company website provides an online contact form for its contractors. In that case, the scammer could complete the form posing as a contractor requesting information about how to redirect pending payments to a new account. The inquiry would be routed to the employee with authority to handle such requests, and that employee would then reach out to the bad actor.
From this point, the attacker could proceed with the attempt to cause funds to be diverted and take no further action. On the other hand, the door could be opened for the bad actor to deliver malware that would infect or provide access to the company’s systems. The malware would almost certainly be detected if attached to an email. Still, it could be successfully delivered using a file sharing service once a dialog had been established with the company employee.
In this scenario, the company representative would most likely request documentation to verify the threat actor’s identity and information. In response, the attacker could then send a malicious file via a file transfer service like TransferNow or WeTransfer. There are no filters to stop the malware from being delivered using this method.
The results
The consequences of these attacks range from the fraudulent dispersal of funds to criminals gaining long-term, persistent access to networks and systems. In some attacks observed in the wild, the targeted company’s critical systems were completely shut down.
Threat actors are also using this tactic to infect their targets with BazarLoader, allowing them to deliver ransomware or conduct some other variant of multi-stage attack.
The advantages
In addition to eliminating the difficulties associated with circumventing email filters and identifying the right employees to target, online contact forms make it much easier for criminals to disguise their attacks as reasonable requests of a type that company employees ordinarily receive.
The attacker only needs to make a request that would result in the responding employee asking for more information like copies of documents. This approach facilitates malware delivery via file sharing. The recipient, believing the malware to be a harmless file received in response to their request for information, opens the malicious file.
Avoiding this attack
If your organization utilizes online contact forms, a review of these forms and their usage may be warranted. It might be possible to implement some safeguards that would prevent threat actors from accessing and using them. For example, you could remove the forms from your public site and allow them to be accessed only by those with credentials issued by your organization. Those with access might include verified company contractors and vendors.
Because this is a social engineering attack that bypasses technical controls, training your employees to recognize it will also reduce the likelihood of your organization being hit. An effective training program is ongoing, is continuously evaluated and improved, includes information about emerging and current threats, and engages your employees. If you have not implemented a training program and need assistance, there are quality training providers as a service available to assist.
