A high hack has begun through a form of registration, subscription and feedback on the websites of respected and trustworthy companies to insert spam or phishing links into confirmation letters from them globally.
Kaspersky Labs has identified this trend in bypassing existing content filters and delivering spam and phishing messages to recipients.
The new trend is called side phishing, spammers use a compromised corporate account to send phishing emails to other users, benefiting from both implicit trust and information on the hijacked user ‘s account.
One of the new methods is quite simple and effective, experts say. Almost every company has an online presence and requests feedback from its customers. To do this, customers are required to register a personal account, subscribe to newsletters, or communicate through feedback forms on the site.
The client name and email address are required for execution. Kaspersky experts say that frauds add spam content and phishing links to this mail. They simply add the victim ‘s email address to the registration or subscription form and enter the message instead of the name.
Next, the site will send an amended confirmation email to this address containing an ad or phishing link at the beginning of the text instead of the recipient ‘s name as usual. A lot of such modified letters are related to online surveys designed to obtain personal data of visitors.
“Letters from a reliable source usually pass through content filters without problems, as these are official messages from a reputable company. That ‘s why the new method of unwanted but seemingly innocent spam mailing is so effective and disturbing, “Maria V., a Kaspersky security expert, said in a press statement.
When it comes to phishing campaigns like these, the onus of security is on the business targeted, Seareach director Stuart Jailler told in an email.
“Businesses can protect themselves by identifying the threats right away. Even basic ones like ‘unauthorised access to your computer’ should be dealt with immediately. The key is to act first,” said Jailler.
Routine data security checks and risk assessments are mandatory, he suggested. “Make sure all internal software is updated, employees with computers, smartphones and other hardware that has the right level of security and can be easily tracked and tracked using asset labels if anything happens.”