Email is the familiar form of phishing, but there’s an ongoing criminal campaign that follows a different, arguably subtler avenue of approach: the corporate contact form. Abnormal Security has found that the BazarBackdoor is being distributed through this social engineering technique that succeeds in bypassing email filters.
Instead of sending phishing emails to the targets, the threat actors first use corporate contact forms to initiate communication. BleepingComputer describes how the process works:
“For example, in one of the cases seen by Abnormal's analysts, the threat actors posed as employees at a Canadian construction company who submitted a request for a product supply quote.
“After the employee responds to the phishing email, the attackers send back a malicious ISO file supposedly relevant to the negotiation.
“Since sending these files directly is impossible or would trigger security alerts, the threat actors use file-sharing services like TransferNow and WeTransfer as automated email screening improves (and the improvements have been significant) criminals will adapt and move to new vectors.”
Abnormal Security, who’s been tracking this trend, describes the advantages the criminals see in this approach. “There are two primary purposes for choosing this method for initial communication.
- “It disguises the communication as a request that could be reasonably expected to be received through an online request form.
- “It circumvents potential email defenses since the request would be delivered through a legitimate sender and does not contain any malicious content.”
The backdoor being deployed by the threat actor is typically used to deploy BazarLoader malware against the victims, and that suggests who’s responsible. “Based on our analysis,” Abnormal Security writes, “we determined that these attacks were attempting to deploy BazarLoader malware. BazarLoader is most closely associated with the cybercrime group known as Wizard Spider, credited with developing the Trickbot banking trojan and Conti ransomware.”
As automated email filtering gets better at screening for phishing attempts, criminals respond by looking for attack techniques that evade those tools. Abuse of corporate contact forms is one such technique. New-school security awareness training can give your employees the educated suspicion that will enable them to avoid falling for the attacks that get through the filters you’ve deployed to protect them.
