momius - stock.adobe.com

Cyber criminals hijacking legitimate website comms

Criminals are exploiting firms’ use of online feedback methods to distribute spam and phishing emails, security researchers warn

Kaspersky researchers have found that criminals are increasingly exploiting registration, subscription and feedback forms on websites to insert spam content or phishing links into confirmation emails from respected and trustworthy companies on a global scale.

This is one of the latest methods to emerge for criminals to deliver their spam and phishing messages to recipients, while bypassing existing content filters.

These methods typically hijack communications from a legitimate source with a good reputation so that users cannot ignore the message.

This creates a challenge for companies because this malicious content, seemingly sent on their behalf, could compromise their customers’ trust or even lead to personal data leaks.

The researchers found that a method gaining popularity exploits the fact that almost every company is interested in receiving feedback from their clients to improve the quality of service, customer retention, and reputation.

To do this, companies ask customers to register a personal account, subscribe to newsletters or communicate with feedback forms on the website to ask questions or leave suggestions.

These are the mechanisms that attackers are exploiting, the researchers warn, noting that all three mechanisms require the customers’ name and email address.

According to Kaspersky researchers, scammers are adding spam content and phishing links into this mail. They simply add the victim’s email address into the registration or subscription form and type their message instead of the name.

The website will then send a modified confirmation message to that address, containing an advertisement or phishing link at the beginning of the text instead of the recipient’s name.

“Most of these modified letters are linked to online surveys designed to obtain personal data from visitors,” said Maria Vergelis, security expert at Kaspersky.

“Notifications from a reliable source usually pass through content filters with ease, as they are official messages from a reputable company, which is why this new method of spam emailing is so effective and worrying,” she said.

To keep companies from possible reputational losses, Kaspersky advises that they check how the feedback forms work on the company website; embed several verification rules that would cause an error when trying to register a name with inappropriate symbols; and conduct a vulnerability assessment of the website.

Read more about phishing

Read more on Hackers and cybercrime prevention