Attackers abusing website's contact form to deliver malware

Attackers abusing website's contact form to deliver malware

Microsoft is warning businesses to beware of cybercriminals using company website contact forms to deliver the IcedID info-stealing banking trojan in email with Google URLs to employees.

“The emails instruct recipients to click a link to review supposed evidence behind their allegations, but are instead led to the download of IcedID, an info-stealing malware,” the company’s threat intelligence team said in a write-up published last Friday.

Company website ‘contact us’ forms are an open doorway on the internet and criminals have recently started using them to reach workers who receive contact requests from the public. 

Crooks are using social engineering to exploit workers’ efforts to do their jobs.

IcedID is a modular banking trojan first spotted in 2017 and updated to also deploy second-stage malware payloads, including Trickbot, Qakbot, and Ryuk ransomware.

To further increase their attacks’ efficiency, the threat actors threaten their targets with legal action for copyright infringements to pressure them into clicking embedded links directing them to IcedID payloads.

Microsoft considered the threat serious enough to report the attacks to Google’s security teams to warn them that cybercriminals are using legitimate Google URLs to deliver malware. The Google URLs are useful to the attackers because they will bypass email security filters. The attackers appear to have also bypassed CAPTCHA challenges that are used to test whether the contact submission is from a human. 

The attackers use language that applies pressure on the employee to respond, the idea is to lead the victim into revealing sensitive information, click a sketchy link, or open a malicious file. In this infection chain, it’s a link to a page, which requires users to sign in with their Google credentials, following which a ZIP archive file is automatically downloaded.

The ZIP file contains a heavily obfuscated JavaScript file that downloads the IcedID malware. What’s more, the malicious code can download secondary implants like Cobalt Strike, potentially putting affected victims at further risk.

Leave a Reply

Your email address will not be published.