The scammers are at it again. I recently had a client report an email they received through their website’s contact form. It said that my client’s website was the source of DDoS (Denial-of-Service) attacks on their company servers. The emails read like this:
This message was written to you in order to notify, that we are currently experiencing serious network problems and we have detected a DDoS attack on our servers coming from the your website or a website that your company hosts (domainname.com). As a consequence, we are suffering financial and reputational losses.
We have strong evidence and belief that your site was hacked and your website files were modified, with the help of which the DDoS attack is currently taking place. It is strictly advised for you as a website proprietor or as a person associated with this website take immediate action to fix this issue.
To fix this issue, you should immediately clean your website from malicious files that are used to carry out the DDoS attack.
I have shared the log file with the recorded evidence that the attack is coming from palmwoodrealty.com and also detailed guidelines on how to safely deal with, find and clean up all malicious files manually in order to eradicate the threat to our network.
Click on the link below to download DDos Attack evidence and follow the instructions to fix the issue:
https://storage.googleapis.com/[redacted for security reasons]
Please be aware that failure to comply with the instructions above or/and if DDoS attacks associated with palmwoodrealty.com will not stop within the next 24 hour period upon receipt of this message, we will be entitled to seek legal actions to resolve this issue.
If you will experience any difficulties trying to solve the issue, please reply immediately with your personal reference case number (included in the log report and instructions mentioned above) and I will do my best to help you resolve this problem asap.
Very truly yours,
IT Security Team Leader
While they sure make it sound scary, rest assured this email is not legit.
The contact form submission is making the rounds using other big brand company names, besides Intuit, including HubSpot, as the sender. However, I can pretty much assure you that a large company like Intuit or HubSpot will not send such an email through your website’s contact form. They would have better ways of dealing with such an event.
Like other contact form spam like this, an email like this has been designed to sound scary and make you think you need to address a serious issue. Their end goal is to get you to click on the link they provide to “clean things up,” where they have usually stored some malicious file that can deploy malware or ransomware to your computer. NEVER CLICK ON LINKS IN EMAILS LIKE THIS!
Matthew Mesa, a Proofpoint security researcher, noted in a tweet that messages sent through a contact form like this often deliver malware, including the BazaLoader, that is hosted on a Google site.
Of course, this isn’t the first time contact forms on websites have been used to deliver such malware. In April of 2021, Microsoft threat experts noticed that hackers were misusing contact forms published on websites to deliver malicious links to organizations. How? By using emails with fake legal threats. In their article they talked about the use of these contact form spams to release the IcedID, an info-stealing malware.
This same sort of attack has also been hidden in a Digital Millennium Copyright Act (DMCA) email complaint connected to a document that allegedly holds proof about stealing pictures from the sender and using them on your site. We have written about this one previously.
So stay safe. Stay diligent. And, if you aren’t sure if something is legit or not, do an internet search or ask your website designer or developer.