Criminals spread malware using website contact forms with Google URLs


The company website ‘contact us’ forms are used by criminals to reach workers who receive contact requests from the public.

The crooks use these contact forms to send employees legitimate Google URLs that require users to sign in with their Google username and password.

Microsoft 365 Defender Threat Intelligence Team considered the threat serious as the attackers are using legitimate Google URLs to deliver malware. The Google URLs are helpful as it bypasses email security filters. The attackers have also bypassed CAPTCHA challenges that are used to test whether the contact submission is from a human.

Microsoft is concerned by the technique used and has currently detected the criminals using the URLs in email to deliver IcedID malware. But it could be used to transmit other malware as well.

IcedID is a banking trojan and information stealer and can be used as an entry point for attacks, such as manually operated ransomware for high-value targets. Human-operated ransomware attacks are common and in this case the attacker has to just sit at the keyboard and organized the attack, in contrast to an automated attack.

Microsoft has already alerted security groups at Google to bring attention to this threat as it takes advantage of Google URLs.

“We observed an influx of contact form emails targeted at enterprises by means of abusing

The companies’ contact forms are abused which indicates that the threat actors might have used a tool that automates this process while circumventing CAPTCHA protections. It is difficult to detect as the email arrives to employees from their own contact form and email marketing systems.

The attackers send emails that tempt the employee to respond and the email contains a link to a page.

When the employee does their job and signs into the site, the page automatically downloads a ZIP file with a JavaScript file, which in turn downloads IcedID malware as a .DAT file. It also downloads a component of the penetration-testing kit, Cobalt Strike, that allows the attacker to control the device over the internet.

Priyanka R
Cyber Security Enthusiast, Security Blogger, Technical Editor, Author at Cyber Safe News

    Hackers tampered with APKPure store to distribute malware apps

    Previous article

    NAME:WRECK vulnerabilities impacts 100 M IoT devices

    Next article

    You may also like

    More in Malware


    Leave a reply

    Your email address will not be published. Required fields are marked *