“Contact Us” for Ransomware

By: Chris Clements, VP of Solutions Architecture, Cerberus Security Office

Cybercriminals are using web forms to spread ransomware, and here’s how you can protect yourself.

Most ransomware attacks tend to follow a predictable trajectory. They begin in one of three ways: a user opens a phishing email and clicks on a link or opens a malicious attachment, a VPN password is guessed or exposed by a third-party breach or pass-the-cookie attack, or a server is inadvertently exposed to the internet with a remote access service such as RDP listening. Once attackers have a foothold into an organization’s internal network, it can take only a few hours to a few days for even moderately skilled cybercriminals to escalate their privileges and gain complete control of the network. From there, they will quickly attempt to find and exfiltrate any valuable-looking data, locate and delete any online backups, and launch a mass scale ransomware encryption run. This relative ease of compromising internal networks is one of the primary reasons that we recommend organizations make attack prevention from inbound threats a high priority, know how to detect threat actors once they have infiltrated their networks, and have a recovery plan in place for when the inevitable occurs. 

Bulletproofing internal networks is a challenge requiring both cybersecurity expertise and a lot of IT elbow grease. There is no absolute protection in cybersecurity, and the cybercriminals only need to get lucky once. Unfortunately, many SMEs to not have the expertise or manpower to devote to an internal IT security team which makes the problem even worse.  If your are in a similar situation, outsourcing to an MSP that has the experience and resources to secure your most valuable assets can be a compelling option. 

It’s often both easier and faster to shore up defenses against external attackers and these common attack pathways with end user awareness training, anti-spam and anti-phishing solutions, multifactor authentication on VPNs, and regular firewall rule audits. That’s not to say that attempting to secure internal networks has no value, in fact it is critical, but prioritizing protections against these common inbound threats can have a high impact quickly. Attackers are acutely aware of these defenses and are constantly looking for ways to defeat or bypass them to gain that all-important foothold into an organization’s internal network. For example, they know that an organization’s weakest link is usually its employees, and they try to exploit this weakness with increasingly sophisticated social engineering techniques.  

That makes a new method that our research team has recently observed especially interesting. We first became aware of it when a customer presented us with a suspicious email one of their employees received; another organization soon received one that was almost identical and was submitted via a similar mechanism:  the “contact us” form on the customer’s own website. These messages are shown below.

“Contact Us” for Ransomware Image 1
“Contact Us” for Ransomware Image 2

What makes this attack unique?

This social engineering attempt differs from the traditional phishing email in a few important ways that could tempt the employees to click on it, even if they have undergone security awareness training. 

  1. The “contact us” form on many websites sends an email from either an internal or a whitelisted email address, meaning it often bypasses the normal phishing and antivirus filters that may otherwise catch the emails. This gives the attackers a huge advantage by allowing them to avoid the cat-and-mouse game of devising ways to get around the organization’s spam and phishing filters and guaranteeing that the lure arrives in the target’s inbox.  
  2. It’s harder for the recipient to dismiss this lure despite it including two usual giveaways that an email is a phishing attempt: getting an email from an unexpected source that has a demand for immediate action. When you compound this with the fact that many businesses pride themselves on responding swiftly to incoming queries, it creates the perfect storm for cybercriminals. The employees who receive emails from the “contact us” form is usually accustomed to hearing from unknown senders, and it might be hard to check on their legitimacy. It is also unlikely that these employees are also the website designers who would know the provenance of the images used on the organization’s web page, and the appeal of a wronged independent photographer can be compelling. The added the distress that receiving a threatening message like this can motivate the recipient to take action quickly, leading to a ransomware attack.
  • Cybercriminals hosting malware on shared hosting sites such as Google Drive, as shown in this exchange, isn’t new. However, most employees do not know that attackers commonly leverage Google Drive to bypass their organizational security controls, such as web filtering. Many users incorrectly assume that the ubiquity of Google correlates to security. The encrypted https connection prevents an organization’s gateway-scanning software from seeing the content of data transferred, which in this case can contain the ransomware. It also can be difficult or impossible for a network-based security defense system to do a blanket “block Google” action without causing problems for the organization’s services or devices that depend on Google. Indeed, many businesses are relying more on Google’s portfolio for business continuity and internal communication.

How to prevent falling victim to a malicious “Contact Us” web form attack:

The single biggest thing you should do as a business decision maker is to ensure that all personnel, but especially those who receive the “contact us” emails, receive ample security awareness training that covers this new attack vector. Employees should be aware that these emails do not receive the same scrutiny as normal emails from the outside like anti-spam, anti-phishing, or the ever present “[ Warning this email originated from outside your organization]” disclaimer, but they should still be treated with utmost scrutiny.

Secondarily, it makes sense for the IT team to investigate ways to balance the normal phishing protections to these emails without risking legitimate requests from getting marked as junk or deleted. If your in-house IT team doesn’t have the capability to do so it is essential that you outsource to an enterprise that does.

This type of attack shows that it’s not enough for organizations to invest in cybersecurity software solutions and training and leave it at that. Regardless of the quality and regularity of employee training or the sophistication of any antispam/antiphishing solution, phishing emails, such as the ones in the “contact us” campaign, will arrive in employees’ inboxes, and some users will fall for the lure.  

Organizations must adopt a culture of security that includes in-depth strategies for each stage: prevention; detection; and because it is just a time-and-numbers game before they fall victim to a successful attack.