Criminals spread malware using website contact forms with Google URLs
Crooks are using social engineering to exploit workers' efforts to do their jobs.
If you are using a contact form on your company website please be aware that criminals are now using website contact forms to spread an info-stealing Trojan called IcedID. The ploy the crooks are using is to include legitimate Google URLs, and then requiring users to supply their Google username and password.
IcedID is a banking trojan and information stealer and can be used as an entry point for subsequent attacks, such as manually operated ransomware for high-value targets. Human-operated ransomware attacks are increasingly common and require the attacker to sit at the keyboard and orchestrate the attack, in contrast to an automated attack.
In recent weeks, one of my clients experienced a rise in spam and phishing emails from their WordPress based website. They implemented a CAPTCHA challenge to thwart the phishing and scam emails, however this new threat has the ability to bypass the CAPTCHA protection.
Microsoft considered the threat serious enough to report the attacks to Google's security teams to warn them that cyber criminals are using legitimate Google URLs to deliver malware. The Google URLs are useful to the attackers because they will bypass email security filters. The attackers appear to have also bypassed CAPTCHA challenges that are used to test whether the contact submission is from a human.
The crooks are using social engineering to exploit workers' efforts to do their jobs, using language that applies pressure on the employee to respond.
One trick used is to falsely claim that the website is using copyrighted images. We have already experienced this at one client.
This is an old ploy however with a new twist. The email contains a link to a sites.google.com page. If the link is followed a ZIP file containing a JavaScript file will automatically download and it in turn downloads the IcedID malware as a .DAT file. A remote control component Cobalt Strike is installed as well which allows the attacker to control the device over the internet.
To read the full article at ZDNet click on the following link;
Criminals spread malware using website contact forms with Google URLs | ZDNet
No comments:
Post a Comment