How Web Forms Can Steal Your Bandwidth and Harm Your Brand
Spamming is a word we all know and an activity we all loathe. The word “spam” has given us related terms such as SPIM for spam via instant messaging; SPIT for spam via internet telephony – robocalls and fake tech support scams, and SPEWS, which is our tongue-in-cheek name for spam via electronic web submissions.
SPEWS HAVE TYPICALLY GONE TWO WAYS:
- • Crooks use bulk HTTP posting tools to fill out online comment forms on forums and blogs – trying to sneak past spam filters or moderators to get free ads and bogus endorsements posted and publicly visible.
- • Crooks use reporting or contact forms to send phishy messages into your organization to trick the form processing system into generating an internal email from content that came from outside, sidestepping spam filtering that external emails would usually undergo.
Cybersecurity researchers at the Russian outfit Dr.Web recently reminded us all of a third way that crooks can use SPEWS to do their dirty work. They noticed spamtrap emails that actually came from genuine corporate senders, but with poisoned web links in the greeting part. Instead of saying, Hi, Mr Ducklin, as you might expect from a genuine email from a trustworthy brand, they said something more along the lines of Hi, MONEY FOR YOU! [weblink here], but with a legitimate-looking sender.
Indeed, digging into the emails showed not only that the sender was legitimate but also that the email did originate from a server you’d expect – there was no sender spoofing going on. (Spoofing is where the crooks deliberately put a bogus name in the From: field, so at first glance the email seems to come from somewhere you trust.)
HOW IT WORKS
What the crooks are doing is subscribing to official corporate mailing lists but putting in other people’s email addresses so that the victims receive a signup message, even though they didn’t sign up. Ironically, they’re abusing a built-in mailing list safety feature
that sends a one-off confirmation email before actually activating a mailing list subscription. It’s often referred to as double opt-in – you submit your email (opt-in #1); then you click a link in an email sent to you to confirm your permission (opt-in #2).
Double opt-in is meant to stop other people signing you up, either through accident or malevolence, but it does mean that anyone with access to the sign-up form can get a legitimate company to send you a one-shot email from one of its legitimate servers.
To a crook, that feels like a challenge – a genuine email server that can be automatically or semi-automatically triggered to send a message to someone’s else’s email address.
Signup emails are typically unexciting because they’re meant to be a simple confirmation of a choice you already made. But some organizations can’t resist the glitzy marketing treatment – even to their mailing list confirmations – filling them with logos, clickable links, tempting offers, etc.
Even though marketing to you as part of getting approval to market to you is annoying, receiving one glamorous and groovy email that you weren’t expecting probably isn’t a big deal.
What is a big deal is that Dr.Web noticed that several major brands and services were not very cautious about how much information from the signup form itself they trustingly copied into the signup email and ‘reflected’ back to the supplied email address.
For example, instead of signing me up as Duck and getting an email pushed out to me with a greeting Hi, Duck… the crooks might be able to sign up as Duck! GET RICH QUICK [link]and trigger an email to me that said, Hi, Duck! GET RICH QUICK [clickable link].
The spammy part of the confirmation email would end up wrapped into a visually appealing, on-brand, professionally produced HTML page, giving it cultural credibility it didn’t deserve.
Worse, the email itself would pass all anti-spam sender checks such as SPF, DKIM and DMARC, because it really came from the right server, giving it credibility it didn’t deserve.
WHAT TO DO?
When re-using untrusted data submitted from outside, be careful not to pass on any of that data in the body of any web page your return, or email you generate.
Otherwise you open up your website or email server to reflection attacks, where you send out dodgy content that I get to choose.
If I give my name as Paul (or some crook gives my name for me), then sending me an email with the text Hello, Paul is mostly harmless, albeit presumptuous.
But if a crook gives give my name as Why not try this fantastic website [insert web hyperlink here], then sending me an email with that text in it is dangerous, because it could lead to a phishing site, malware, etc.
SO, FOLLOW OUR ADVICE:
- • Validate your input. If it came from outside, you can’t trust it, so check it. And even if it came from inside, check it anyway to filter out inappropriate, irrelevant or unwanted data.
- • Keep confirmation emails simple. The simpler you keep it, the lower the chance that anyone can abuse your system to spew messages that look like something they aren’t.
- • Don’t re-use anything from the input form except the raw signup email address. There’s no point in addressing me as “Dear Paul Ducklin” in an email that’s supposed to assume it might not be me at all. You don’t know me, so be honest and just use the word “you” instead.
- • Pass autogenerated emails like this through your regular spam filter if you can. Don’t exonerate web form submissions from spam filtering just because they were generated on from a supposedly secure server managed by IT.
As so often in cybersecurity, less is more!
Published with permission of Sophos