Kaspersky researchers
have identified a global, emerging trend in spam and phishing delivery
techniques. Cybercriminals are increasingly exploiting registration,
subscription and feedback forms on trusted company websites to insert spam
content or phishing links into confirmation emails.
Cyber attackers are
constantly looking for new methods to deliver spam and phishing messages to
recipients while bypassing existing content filters. The goal is have emails
originate from a legitimate, reputable source so that users do not ignore the
unwanted email. This creates a challenge for companies as the spam or even
malicious content, seemingly sent on their behalf, could compromise their
customers' trust or even lead to personal data leaks.
This method is
proving to be simple and effective for hackers to implement, as nearly every
company solicits feedback from their clients to improve their quality of
service, customer retention and brand image. It is a standard practice for
businesses to ask customers to register a personal account, subscribe to
newsletters or communicate with feedback forms on the website, all which
provide several avenues for cyber criminals to gain access and exploit
sensitive data. All three mechanisms require a customer's name and email
address to be provided so they can receive a confirmation email or feedback.
According to
Kaspersky researchers, scammers are adding spam content and phishing links into
their malicious email messages. They simply add the victim's email address into
the registration or subscription form and type their message instead of the
name. The company website will then send a modified confirmation letter to the
specified address containing an advertisement or phishing link at the beginning
of the text instead of the recipient's name.
"Most of these modified letters
are linked to online surveys designed to obtain personal data from visitors,"notes Maria Vergelis,
security expert at Kaspersky. "Notifications
from a reliable source usually pass through content filters with ease, as they
are official messages from a reputable company. This is why this new method of
unwanted, yet seemingly innocent, spam emailing is so effective and
concerning."
To safeguard against
potential reputational losses, Kaspersky experts suggest checking how feedback
forms on company websites work. They also advise embedding several verification
rules that would cause an error message when trying to register a name with inappropriate
symbols.
Read the full text of
the report on Kaspersky Daily.