August 8, 2019

Kaspersky Research Finds Scammers Distributing Spam and Phishing Emails from Legitimate Company Websites

Kaspersky researchers have identified a growth in the usage of cunning spam and phishing delivery technique.

Woburn, MA – August 8, 2019 – Kaspersky researchers have identified a global, emerging trend in spam and phishing delivery techniques. Cybercriminals are increasingly exploiting registration, subscription and feedback forms on trusted company websites to insert spam content or phishing links into confirmation emails.

Cyber attackers are constantly looking for new methods to deliver spam and phishing messages to recipients while bypassing existing content filters. The goal is have emails originate from a legitimate, reputable source so that users do not ignore the unwanted email. This creates a challenge for companies as the spam or even malicious content, seemingly sent on their behalf, could compromise their customers’ trust or even lead to personal data leaks.

This method is proving to be simple and effective for hackers to implement, as nearly every company solicits feedback from their clients to improve their quality of service, customer retention and brand image. It is a standard practice for businesses to ask customers to register a personal account, subscribe to newsletters or communicate with feedback forms on the website, all which provide several avenues for cyber criminals to gain access and exploit sensitive data. All three mechanisms require a customer’s name and email address to be provided so they can receive a confirmation email or feedback.

According to Kaspersky researchers, scammers are adding spam content and phishing links into their malicious email messages. They simply add the victim’s email address into the registration or subscription form and type their message instead of the name. The company website will then send a modified confirmation letter to the specified address containing an advertisement or phishing link at the beginning of the text instead of the recipient’s name.

“Most of these modified letters are linked to online surveys designed to obtain personal data from visitors,” notes Maria Vergelis, security expert at Kaspersky. “Notifications from a reliable source usually pass through content filters with ease, as they are official messages from a reputable company. This is why this new method of unwanted, yet seemingly innocent, spam emailing is so effective and concerning.”

To safeguard against potential reputational losses, Kaspersky experts suggest checking how feedback forms on company websites work. They also advise embedding several verification rules that would cause an error message when trying to register a name with inappropriate symbols.

Read the full text of the report on Kaspersky Daily.

About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at www.usa.kaspersky.com.

Media Contact:

Cassandra Faro
Cassandra.Faro@Kaspersky.com
781-503-1812