How contact forms can be exploited to conduct large scale phishing activity?
By Abhishek BhatiPublished On February 9, 2022
A contact form for customer inquiries is one of the most common features present on the websites of most companies. It provides an easy way for prospective customers to get in touch with the company.
WordPress’ plugins are available that can help you create such functionality in a simple way. Some companies go beyond and acknowledge the message received from the customers.
But how can this be leveraged to conduct phishing activity?
During the application security assessment for one of our clients, we came across a Contact Us form that looked like the following image:
At first glance, the form seems pretty standard and harmless, but just out of curiosity, we entered data and sent our query. We entered the data in the fields as shown below:
Almost instantly after this, we received a reply from the company, as depicted in the image below:
We then checked if there was any system in place to verify whether the user entering the details actually owns the email ID being entered. Turns out, there wasn’t.
On further investigation, it was found that the number of emails that can be sent weren’t limited to. A POC for how this can be exploited by an attacker is shown in the image below:
From the above email, it can be seen that without any restrictions, the attacker can redirect the user to any vulnerable link.
Furthermore, the attackers also don’t have to set up their own phishing infrastructure. They also don’t have to spend effort on account takeover of legit emails that is normally done in the email reply chain. Since the email is coming from the domain of a company that already has a reputation and proper records in place, the chances of the email landing in SPAM also turn out to be very low. With careful planning regarding the timing and crafting a highly enticing content, a large-scale phishing campaign can be conducted with the help of this form with a high degree of decisiveness.
Even in Red Teaming Activities, such forms which are often ignored by the companies from a security perspective are leveraged to conduct large scale phishing attacks. Credentials can also be harvested in a very precise manner with such vulnerable forms to employees and other related people of the company. In addition, these can often provide entry points to the customer accounts of the targeted organization.
This can lead to several impacts on the organization:
Exhausting the email supply of the domain.
Defaming the company by sending false advertisements to multiple people.
Sending multiple emails to downgrade the reputation of the domain so that even legit emails start landing in spam.
Attacking and disrupting the businesses of existing customers of the company by sharing misleading information through this email.
The perfect solution to this will be not to send the message entered in the Contact Form as an acknowledgement. If it is a really highly desired feature, a more extensive message can be included at the beginning of the reply mail. Also, a link for reporting the suspicious emails can be set up to detect an attack, and it should be included in the main content of the message rather than the Disclaimer.
For example, instead of
The reply email can contain a message with much more clarity:
The user control over the email content and the body should be removed completely if sending only an acknowledgement is required.
A simple message like the following can be sent for acknowledgement:
To prevent the misuse of the form by someone sending too many emails, captchas can be implemented.
In addition to this, rate limiting mechanisms should be implemented to limit the number of requests.
Along with this, proper monitoring systems should be in place to check how many emails are being sent from your organization’s account. If there is a heightened activity that is different from the normal rate of sending, an alert system should be in place so that proper corrective action can be taken.
Test your organization’s resilience against modern phishing activity – Contact Us
Moreover try our new product Strobes which is a one-stop-shop solution for all security stakeholders to ensure that their enterprise is well guarded against security issues and cyber attacks.