As automated email filtering gets better at screening for phishing attempts, criminals are responding by looking for attack techniques that evade those tools. Believe or not, their newest tactic is to fill out online contact forms and then use the response process to sneak malware into your system.
By now, we are all familiar with email phishing. Most law firms today are conducting (or should be conducting) security awareness training across their organizations. And, as mentioned above, email filtering technologies have advanced and are quite good at stopping some attacks. But crime never sleeps, and cybercriminals have been creatively seeking new ways to infiltrate our systems.
Contact forms and cybercrime
A company called Abnormal Security has found that a nasty piece of malware called BazarBackdoor is being distributed through this clever new social engineering technique, which succeeds in bypassing email filters.
Here’s how it works: Instead of sending phishing emails directly to your law firm’s employees, the threat actors first use your corporate contact form on your website to initiate communication. BleepingComputer describes it like this:
“…the threat actors posed as employees at a Canadian construction company who submitted a request for a product supply quote. After the employee responds to the phishing email, the attackers send back a malicious ISO file supposedly relevant to the negotiation. Since sending these files directly is impossible or would trigger security alerts, the threat actors use file-sharing services like TransferNow and WeTransfer.”
Abnormal Security, which has been tracking this trend in contact forms and cybercrime, describes the advantages the criminals see in this approach.
“There are two primary purposes for choosing this method for initial communication. It disguises the communication as a request that could be reasonably expected to be received through an online request form. It circumvents potential email defenses since the request would be delivered through a legitimate sender and does not contain any malicious content.”
Is your contact form an open door to cybercriminals?
While this attack method may be new, the defense is essentially the same as what we have always advocated for: security awareness training.
The reason this “contact forms and cybercrime” attack method works is because employees think that emails coming through the contact form must be legitimate inquiries into your firm’s work. Now we know that is not necessarily true.
Do you have consistent processes in place to respond to inquiries that come into your law firm through your online contact form? If so, it is now time to make sure the people who respond to those inquiries are up-to-date in their security awareness training. They need to understand the threat of contact forms and cybercrime.