Friday, July 23, 2021

Attackers abusing website’s contact form to deliver malware

Must Read

Trump respond to Russian cyberattacks Says ‘Under Control’

This week, American businesses and government institutions reported that Russian hackers had infiltrated sensitive networks throughout their systems and...

Qualcomm has signed up Sophos to secure 5G Snapdragon PCs

Qualcomm has signed Sophos to provide cybersecurity solutions for the next wave of 5G-enabled PCs. Announced on Tuesday, the American...

What is Pegasus spyware, It’s Working, and its News

Pegasus was developed by the Tel Aviv, Israel-based cyber intelligence and security firm NSO Group. Pegasus spyware is also...

Microsoft is warning businesses to beware of cybercriminals using company website contact forms to deliver the IcedID info-stealing banking trojan in email with Google URLs to employees.

“The emails instruct recipients to click a link to review supposed evidence behind their allegations, but are instead led to the download of IcedID, an info-stealing malware,” the company’s threat intelligence team said in a write-up published last Friday.

Company website ‘contact us’ forms are an open doorway on the internet and criminals have recently started using them to reach workers who receive contact requests from the public. 

Crooks are using social engineering to exploit workers’ efforts to do their jobs.

IcedID is a modular banking trojan first spotted in 2017 and updated to also deploy second-stage malware payloads, including Trickbot, Qakbot, and Ryuk ransomware.

To further increase their attacks’ efficiency, the threat actors threaten their targets with legal action for copyright infringements to pressure them into clicking embedded links directing them to IcedID payloads.

Microsoft considered the threat serious enough to report the attacks to Google’s security teams to warn them that cybercriminals are using legitimate Google URLs to deliver malware. The Google URLs are useful to the attackers because they will bypass email security filters. The attackers appear to have also bypassed CAPTCHA challenges that are used to test whether the contact submission is from a human. 

The attackers use language that applies pressure on the employee to respond, the idea is to lead the victim into revealing sensitive information, click a sketchy link, or open a malicious file. In this infection chain, it’s a link to a sites.google.com page, which requires users to sign in with their Google credentials, following which a ZIP archive file is automatically downloaded.

The ZIP file contains a heavily obfuscated JavaScript file that downloads the IcedID malware. What’s more, the malicious code can download secondary implants like Cobalt Strike, potentially putting affected victims at further risk.

a2434345d63481a40f0d145881b41013?s=96&d=mm&r=g
Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest News

OAIC: Uber found to have interfered with the privacy of over 1.2 million Australians

The Office of the Australian Information Commissioner (OAIC) has determined that Uber Technologies, Inc. and Uber B.V. have interfered...

Over 80 US Municipalities data are exposed due to Misconfigured Amazon S3

A team of Cybersecurity researchers at Wizcase found major data exposure of Over 80 US Municipalities due to the Misconfigured Amazon S3 Bucket. This happened...

Formbook malware Upgraded as an XLoader malware to Attack macOS Systems

Researchers have spotted an upgraded malware variant of Formbook malware which is now Upgraded as an XLoader malware to Attack macOS Systems. Cybersecurity researchers on...

Millions of HP, Samsung, Xerox Printers are Vulnerable to 16 year old bug

A 16-year-old security vulnerability affects Millions of HP, Samsung, Xerox Printers Driver allows attackers to gain admin rights on systems using the vulnerable driver...

MosaicLoader malware targets cracked software via SEO poisoning

New MosaicLoader malware targets users that are searching to download cracked software. Cybercriminals run ad campaigns in search engine results to boost their malicious...

More Articles Like This