More and more spammers are exploiting registration, subscription, and feedback forms on legitimate websites of respected and trustworthy companies to insert spam content or phishing links into confirmation emails from them on a global scale.
Researchers at Kaspersky Labs have identified this trend in bypassing existing content filters and delivering spam and phishing messages to recipients.
SC Media UK last month reported a trend called lateral phishing, where spammers leverage a compromised enterprise account to send phishing emails to other users, benefitting from both the implicit trust and the information in the hijacked user’s account.
The latest method is quite simple and effective, say the researchers. Almost every company has an online presence and solicits feedback from their clients and customers. To do this, the customers are required to register a personal account, subscribe to newsletters or communicate with feedback forms on the website.
All of these steps require the customers’ name and email address. Kaspersky researchers say scammers add spam content and phishing links into this mail. They simply add the victim’s email address into the registration or subscription form and type their message instead of the name.
The website will then send a modified confirmation letter to that address, containing an advertisement or phishing link at the beginning of the text instead of the recipient’s name. Most of these modified letters are linked to online surveys designed to obtain personal data from visitors.
"Notifications from a reliable source usually pass through content filters with ease, as they are official messages from a reputable company. This is why this new method of unwanted, yet seemingly innocent, spam emailing is so effective and worrying," Kaspersky security expert Maria Vergelis said in press statement.
When it comes to phishing campaigns like these, the onus of security is on the business targeted, Seareach director Stuart Jailler told SC Media UK in an email.
"Businesses can protect themselves by identifying the threats right away. Even basic ones like ‘unauthorised access to your computer’ should be dealt with immediately. The key is to act first," said Jailler.
Routine data security check and risk assessment are mandatory, he suggested. "Ensure all internal software is up-to-date, employees with computers, smartphone devices and other equipment which is taken off-site has the correct level of security and can easily be tracked and traced using asset labels should something happen."