



Microsoft warns companies to beware of cybercriminals who use contact forms on their websites to deliver banking Trojans to employees via email containing Google URLs that steal Iced ID information. I will.

The company’s website “Contact Us” form is an open doorway on the Internet, and criminals have recently begun to use them to contact workers who receive contact requests from the general public.

A notable feature of this attack is that fraudsters use contact forms to send employees a legitimate Google URL that requires users to sign in with their Google username and password.

Microsoft considered it serious enough to report the attack to Google’s security team to warn cybercriminals of using legitimate Google URLs to deliver malware. Google URLs are useful for attackers because they bypass email security filters. The attacker also apparently bypassed the CAPTCHA challenge used to test whether the contact transmission was from a human.

“This threat is highly evaded because attackers are exploiting legitimate infrastructure such as website contact forms to circumvent protection. In addition, attackers use legitimate URLs. In this case, the target is the URL of Google that needs to be signed in using Google’s credentials. ”Notes from the Microsoft 365 Defender Threat Intelligence Team.

Microsoft is concerned about the method used and is currently detecting criminals using email URLs to deliver IcedID malware. However, it is just as easy to use for sending other malware.

IcedID is a banking Trojan and information stealer that can be used as an entry point for subsequent attacks, such as manually manipulated ransomware for high-value targets. In contrast to automated attacks, human-operated ransomware attacks are becoming more and more common, requiring attackers to sit in front of the keyboard and coordinate their attacks.

“Because we are using Google URLs, we have already warned Google security groups to pay attention to this threat,” Microsoft said.

“We have observed an influx of contact form emails targeting companies by exploiting corporate contact forms. It is possible that an attacker used a tool to automate this process while circumventing CAPTCHA protection. It shows that there is, “the company added.

This is a difficult attack for businesses and government agencies to detect, as email reaches employees through their contact forms and email marketing systems.

“Emails are sent from the contact form on the recipient’s own website, so the email template matches what you would expect from a real customer interaction or inquiry,” Microsoft said.

Attackers use languages ​​that put pressure on employees, for example, to respond to false claims that targeted websites use copyrighted images. This email contains a link to a sites.google.com page where employees will see images that appear to be infringing.

When an employee works, signs in to the site and investigates the complaint, the sites.google.com page automatically downloads a ZIP file containing the JavaScript file, and the JavaScript file downloads the IcedID malware as a .DAT file. I will. Also, download Cobalt Strike, a component of the penetration test kit. This allows an attacker to control the device over the Internet.

