Criminals Spread Trojans Via Company Contact Forms & Google URLs

Criminals Spread Trojans Via Company Contact Forms & Google URLs

Microsoft warned businesses of cybercriminals targeting employees by sending them phishing emails from their website contact forms.

Upon opening the link and entering their login details, victims unknowingly download a zip package with the IcedID info-stealing banking trojan.

This is a new trend that has recently started in which attackers target employees who are responsible for dealing with public requests. Attackers send legitimate Google URLs – in this case, a link to – that require employees to sign in with their Google credentials. Victims are urged to view images that are supposedly infringing the copyright.

“We observed an influx of contact form emails targeted at enterprises by means of abusing companies’ contact forms. This indicates that attackers may have used a tool that automates this process while circumventing CAPTCHA protections,” the company said

The page automatically downloads a ZIP file with a JavaScript file and then IcedID malware. It also downloads Cobalt Strike that allows the attackers to remotely control the device. 

Microsoft is rather concerned by the technique and calls these attacks “highly evasive” because attackers are abusing legitimate infrastructure – website contact forms. And by using Google URLs attackers can bypass email security filters. Researchers say attackers can probably bypass CAPTCHA challenges, too. 

This is a tricky attack to detect since phishing emails arrive from the company’s own contact form and email systems.

“As the emails are originating from the recipient’s own contact form on their website, the email templates match what they would expect from an actual customer interaction or inquiry,” Microsoft notes. 

IcedID is a banking trojan and information stealer that can be used to carry out subsequent attacks, such as human-operated ransomware. This type of ransomware attack is increasingly common and requires the attacker to manually orchestrate the attack.

Instead of IcedID, it could just as easily be some other malware.

Microsoft has reported the campaign to Google’s security teams.

“We have already alerted security groups at Google to bring attention to this threat as it takes advantage of Google URLs,” Microsoft said. 

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.