Cybercriminals are looking for new ways to get around email filters that are becoming increasingly adept at identifying and blocking phishing messages. Some companies are now employing online contact forms to communicate with their customers. A response from an employee is usually received after completing a contact form on a company's website. Opening a line of communication with that employee may allow the bad actor to carry out a number of attacks.
A threat actor impersonating a contractor and attempting to fraudulently shift cash to his account would first need to find and gain the email address of a corporate employee with the authorization to conduct this type of action in a more traditional spear-phishing attack. To contact that employee, the attacker would need to design an email that would get past the organization's email filter.
Assume the company's website has a contact form for its contractors. In that situation, the fraudster could pose as a contractor and fill out a form asking for instructions on how to reroute pending payments to a new account. The inquiry would be forwarded to the person with authority to deal with such requests, who would then contact the problematic actor.
The attacker might then continue attempting to drain funds while taking no further action. On the other hand, a backdoor could be opened for a bad actor to distribute malware that infects or gives access to the company's systems. If it was attached to an email, the malware would almost probably be caught. Even so, once a dialogue with a firm employee had been formed, it could be successfully provided utilizing a file sharing service.
In this case, the company representative would almost certainly ask for proof to confirm the threat actor's name and information. The attacker may then use a file transfer service like TransferNow or WeTransfer to transmit a malicious file as a response. There are no controls in place to prevent malware from being spread this way.
The outcomes
These attacks have a wide range of repercussions, from money laundering to criminals getting long-term, permanent access to networks and systems. The targeted company's essential systems were fully shut down in some attacks seen in the wild.
This method is also being used by threat actors to infect their victim with BazarLoader, allowing them to transmit ransomware or carry out another type of multi-stage assault.
The benefits
Online contact forms make it considerably easier for thieves to disguise their attacks as reasonable requests of the type that corporate employees normally receive, in addition to removing the hurdles associated with evading email filters and identifying the correct employees to target.
The attacker just needs to make a request that prompts the responding employee to request additional information, such as document copies. Malware distribution via file sharing is much easier using this method. The recipient opens the malicious file, assuming it to be a harmless file sent in response to their request for information.
Defending against this attack
If your company uses online contact forms, a review of the forms and how they're used might be in order. It may be able to put in place some precautions to prevent threat actors from gaining access to and using them. You may, for example, remove the forms from your public website and restrict access to individuals having credentials granted by your company. Verified company contractors and vendors may have access.
Because this is a social engineering attack that avoids technical restrictions, teaching your employees how to spot it will lower the chances of your company being targeted. An excellent training program is ongoing, evaluated and modified on a regular basis, incorporates knowledge on emerging and current hazards, and involves your personnel. If you don't have a training program in place and need help, there are a number of good training providers who can help.
