Watch Out: New Social Engineering Attack Through Your Business’s Contact Form

Another week, another brand-new form of cyberattack. It certainly feels that way, doesn’t it? As a business leader, it’s easy veer in one of two directions. Either you live in constant fear or you grow numb and complacent to the very real threats. The best approach lies somewhere in the middle, where you recognize the threats for what they are and take appropriate steps to combat them. This week, we’re shedding light on a new threat vector, one that affects any business with a website that has a contact form.

The New Threat Explained

This new threat isn’t all that complicated, and that’s part of what makes it so effective. Here’s how it works. A threat actor visits your website normally, just like any other visitor would. They look for a contact form and fill it out, posing as a real lead or prospect. So far, if they’ve built an effective attack, they haven’t done anything out of the ordinary or suspicious. They just look like any other customer. Next, your team does what they always do with “contact us” messages: they respond to them via email. This is all very normal sounding, right? The next step is where things take a turn. When the “prospect” receives an email reply from a real person at your company (whether immediately or at the end of a sales funnel), they craft a reply of their own— with some kind of file or link to a download attached, something that your team member just has to access to continue the conversation and make the sale. You can probably guess where this is headed. Sure enough, that file or link isn’t what the threat actor said it was. It’s straight-up malware. If your team member opens and runs the file, their system or account becomes compromised. From there, a data breach or even a ransomware attack could happen at any time.

A Phishing or Spear-Phishing Campaign in Disguise

There are a couple things to note here. First, if you’ve been reading this or other security-related blogs for long, the second half of that attack might sound familiar. That’s because this is essentially just a phishing attack (or a spear-phishing attack, or something in between the two). Look at the contours:

• The bad guy sends an urgent email
• It motivates your employee to take an ill-advised action (they want to make the sale, and that’s a good motivation!)
• The fake link or attachment scrapes credentials or installs malware

The only difference is that instead of impersonating an important company or agency, the bad guys are now impersonating your customers and leads. Second, the attachment. Most corporate email filters will catch malicious attachments, and they’re getting better at blocking malicious links. So the scammers are getting smarter: now they’re sending links to semi-legitimate or even wholly legitimate file transfer sites such as WeTransfer. Many companies use these sites in legitimate ways, and it’s difficult to distinguish which content is legit and which is compromised.

Need Better Security, More Effective Security Training? We Can Help.

Attacks like this latest one can be frustratingly difficult to stop because they’re built to bypass typical technological controls. Still, it’s worth asking whether your current IT provider is keeping up with the latest threats like this one. Ultimately, the best way to combat social threats like this one is through better education and more effective security training for your team. At Blue Ridge Technology, we believe in both strategies. We keep our clients up to date with the latest security practices, and we keep your teams trained to spot social engineering threats like this one. If you need help on either front — or both — reach out today. We’re ready to take your security strategy to the next level.