According to Kaspersky’s latest research, there has been a growth in the usage of spam and phishing delivery techniques among cybercriminals.
In a press release on Wednesday (14 Aug), Kaspersky noted that malicious internet users are increasingly exploiting registration, subscription, and feedback forms on websites to insert spam content or phishing links into confirmation emails from respected and trustworthy companies on a global scale.
Ideally, the perpetrators will attempt to draft up letters seemingly originated from legitimate sources with a good reputation so that users would not shy away and ignore the unwanted email. Consequently, this sparks a challenge for companies as this unwanted spam or even malicious content, purportedly sent on their behalf, could compromise their customers’ trust or even lead to personal data leaks.
Kaspersky hinted that the method is relatively simple and effective. After all, nearly every company today is interested in receiving feedback from their clients to improve the quality of service, customer retention, and reputation. Hence, companies tend to ask customers to register a personal account, subscribe to newsletters or communicate with feedback forms on the website; and these are exactly the mechanisms that attackers are currently exploiting.
All three mechanisms require the customers’ name and email address, so they can receive a confirmation email or feedback. According to Kaspersky researchers, scammers are adding spam content and phishing links into this mail. They simply add the victim’s email address into the registration or subscription form and type their message instead of the name. The website will then send a modified confirmation letter to that address, containing an advertisement or phishing link at the beginning of the text instead of the recipient’s name.
“Most of these modified letters are linked to online surveys designed to obtain personal data from visitors. Notifications from a reliable source usually pass through content filters with ease, as they are official messages from a reputable company. This is why this new method of unwanted, yet seemingly innocent, spam emailing is so effective and worrying,” said Maria Vergelis, security expert at Kaspersky.
To keep companies from possible reputational losses, Kaspersky advise the following precautions:
- To check how the feedback forms work on your website
- To embed several verification rules that would cause an error when trying to register a name withinappropriate symbols
- To conduct a vulnerability assessment of the website, if possible
