Back in April, Microsoft warned of a “unique ‘form’ of email delivery” that was delivering malware. These attacks used a company’s own contact form, available on their company website, to generate fake emails with malicious links. At that time, Microsoft claimed that their own antivirus program, Microsoft Defender, had been upgraded to detect and block these emails. It would seem that this would be the end of the story, but, as is often the case, it was just the first chapter. Recently, this attack has re-emerged. So how exactly does it work?
Here is a typical contact form as shown in the Microsoft report.
Many contact forms like this generate an email that is sent to an email address sometimes hidden behind the ‘send’ button. It may go directly to someone’s inbox because it comes from a trusted source; the company’s own website. Other contact forms may send the information from the form to a folder on the company’s server, where it can be analyzed before sending it on to any individual.
In the original attack, the email generated contained the attacker’s own phishing message, probably by placing it in the comments/message segment of the form. It would arrive in the recipient’s inbox looking something like the following.
The message goes on to claim that the writer is a professional photographer and that the company has illegally used one of her photos. There is a link in the message that tells the recipient to check out the images for themselves. She then threatens that if she gets no response soon, she will take legal action. The link leads to a Google hosted website (sites.google.com) where the recipient is told to sign in with their credentials. Since the link is legitimate, it may avoid being detected by spam filters. In any event, if the recipient signs in, they are transformed into a victim, as this launches a malicious .zip file which will eventually lead to the attacker gaining full control of the victim’s device.
The new attacks, which first appeared in October, use a slightly different approach. The email, sent through the contact form, claims that the recipient’s website or a website the recipient is responsible for hosting or developing was involved in a DDoS attack. One website developer reported that she was informed by one of her clients that they received a message saying that they should “Click on the link below to download DDos Attack evidence and follow the instructions to fix the issue: storage.googleapis.com/(plus the scam address).” The storage.googleapis.com address is a legitimate Google storage address.
The message alleges that a company called, Palmwood Realty, Inc., had been compromised and is attacking the company associated with the writer of the email. In this case, the company was called, Intuit Inc. The email threatens that “if DDoS attacks associated with palmwoodrealty.com will not stop within the next 24 hour period upon receipt of this message, we will be entitled to seek legal actions to resolve this issue.” It appears the ‘take legal action’ angle pays off for these scammers.
The companies mentioned by the scammers will be legitimate and the scammers can easily learn which company developed the website that is purportedly the source of the DDoS attack. But knowing this makes the email seem more legitimate and makes it more likely that the recipient will visit the infected website to retrieve the log that is said to be stored there.
There is no doubt that this attack vector has been successful. The fact that companies are being targeted is even more troubling because it now appears that the contact form angle is being used by ransomware gangs. In other words, the technique is being used to tunnel into a corporate network and encrypt company data until they pay a ransom. In fact, the IBM cybersecurity team (IBM X-Force) has associated the latest contact form attacks with the notorious Trickbot gang and Conti/Ryuk ransomware. In short, always check the source of an email that makes it into your inbox, especially if it comes from your own contact forms. If you happen to overlook this, then beware of any email that claims you have done something illegal and must follow a link to some site that, on the surface, may be legitimate. No doubt other variations on this scam will arise as this seems as if this will be a continuing story.