Attackers are increasing their exploitation of registration, subscription and feedback forms on trusted company websites to insert spam content or phishing links into confirmation emails, a new report found.
For the attackers, the goal is have emails originate from a legitimate, reputable source so users do not ignore the unwanted email, said researchers at Kaspersky.
In the constant effort the find new ways to deliver spam and phishing messages to recipients while bypassing existing content filters, this finding shows the challenge companies face as spam or malicious content, seemingly sent on their behalf, could compromise their customers’ trust or even lead to personal data leaks.
This method is proving to be simple and effective for hackers to implement, as nearly every company solicits feedback from their clients to improve their quality of service, customer retention and brand image.
That is a standard practice for businesses to ask customers to register a personal account, subscribe to newsletters or communicate with feedback forms on the website, all which provide several avenues for cyber criminals to gain access and exploit sensitive data. All three mechanisms require a customer’s name and email address to be provided so they can receive a confirmation email or feedback.
Scammers are now adding spam content and phishing links into their malicious email messages, said Kaspersky researchers.
They simply add the victim’s email address into the registration or subscription form and type their message instead of the name. The company website will then send a modified confirmation letter to the specified address containing an advertisement or phishing link at the beginning of the text instead of the recipient’s name.
“Most of these modified letters are linked to online surveys designed to obtain personal data from visitors,” said Maria Vergelis, security researcher at Kaspersky. “Notifications from a reliable source usually pass through content filters with ease, as they are official messages from a reputable company. This is why this new method of unwanted, yet seemingly innocent, spam emailing is so effective and concerning.”
To safeguard against potential reputational losses, users need to check how feedback forms on company websites work, the researchers said who also advise embedding several verification rules that would cause an error message when trying to register a name with inappropriate symbols.