Cyber criminals exploit Formcrafts to craft phishing pages

Over the past seven years, cybercriminals have used the Formcrafts online service to craft phishing pages with the intent of stealing credentials, banking information, and other sensitive data

Bank Security
6 min readFeb 8, 2024

Introduction

Since at least 2017, threat actors have been illicitly utilizing the Formcrafts’ legitimate services to generate online forms for the creation of their malicious phishing pages.

This article will delve into the mechanics of Formcrafts and examine how cybercriminals have utilized it for malicious ends throughout the years.

What is Formcrafts?

FormCrafts is a user-friendly online form builder that allows you to create functional forms for your website or application. It is a drag-and-drop tool, so you don’t need any coding experience to use it.

The interface makes building a wide range of forms, from simple contact forms to complex surveys and payment gateways, a breeze.

You can easily sign up for a free account on their website and play with it:

Link: https://formcrafts.com/

Create a form

Once registered, you have the option to create a form either from scratch or by utilizing the templates provided on the site:

First form creation page

Once the form is created, you can easily publish it with just a simple click, making it accessible to everyone. Later, you can embed it in an email, getting the user to enter their details.

Formcraft provides different fields that you can add to your form. All fields can be customized with the type of data you expect the user to enter such as email, username, password and credit card number.
Additionally, you can configure a secondary courtesy page to display once the form has been filled out and submitted.

Basic field addition to your form

This type of customization combined with the possibility of adding images to your page thus mimicking the original one makes it a perfect tool for the cyber criminals.

Email notification

As additional feature you can configure email notifications to receive updates every time a user fills out the form. This allows you to stay informed about who is entering the data and when:

Email notifications settings

IP geolocation restriction

Another default and free-of-charge feature is the ability to restrict the display of the form to specific countries. This functionality can be advantageous for cybercriminals aiming to target users in particular geographical areas, thereby evading detection by standard cybersecurity solutions and analysts:

IP geolocation option (useful for cyber criminals in targeted attacks)

Statistics and Analytics

You can monitor the status of your forms along with their corresponding statistics directly from the main page:

Analytics
Insights

Clear text responses

A primary exploited feature of this product is its capability to access all cleartext responses submitted by users. For instance, if a deceptive form prompts users to enter their credentials or bank details, the Threat Actor managing the form can readily view the passwords or bank codes / credit card numbers:

Response view

Another feature susceptible to abuse by cybercriminals is the capability to prompt users to upload documents. For instance, in a cyber espionage campaign, a criminal group might find it advantageous to gather CVs or ID documents from targeted users. In such instances, they could include in the form a mandatory field requesting document uploads, compelling users to submit the requested files.

How Cyber Criminals are (ab)using it?

Cybercriminals have transformed this service into a Phishing-as-a-Service platform, leveraging it to orchestrate their phishing campaigns through custom-created form pages. Over the years, numerous brands have been exploited as lures on these phishing pages.

With its features, Formcraft facilitates monitoring of link clicks and form submissions, offering clear visibility into user interactions. Remarkably, these functionalities are accessible with a free account, easily created using a temporary email address.

To track down phishing pages that have exploited Formcrafts, you can refer to this list:

page.url:”formcrafts.com/a/*”

https://urlscan.io/search/#page.url%3A%22formcrafts.com%2Fa%2F*%22

In recent years, cybercriminals have utilized Formcrafts to fabricate phishing pages, employing various brands as bait to gather credentials, personal information, or bank account details. Below are some concrete examples:

Webmail

Cybercriminals have utilized generic webmail forms as bait against their targets:

Webmail phishing examples
Microsoft phishing examples
Telco phishing examples
University phishing examples

Links:
https://urlscan.io/result/a5c2bc7d-2bbb-4416-9975-89f296fb7400/
https://urlscan.io/result/1b6458dd-7667-45f5-8658-2afacedd1961/
https://urlscan.io/result/9ee9d846-2d3d-4488-a864-2bd6c5047ed7/

Banking info

Below is an example aimed at stealing credentials and credit card data:

https://urlscan.io/result/97d3bee9-219f-4f05-835d-a36036ba3577/

Fake file hosting

Below you can see a case where the attackers used Formcraft to create a fake page for downloading a file which is then redirected to another page hosting the real phishing:

Conclusion

Formcrafts has been observed as one of the tool for cybercriminals seeking to orchestrate phishing attacks. Despite its legitimate purpose as a user-friendly form builder, its ease of use and customizable features have been exploited to craft convincing phishing pages, targeting users with the intent of stealing sensitive information.

Countering this threat proves challenging, as Formcrafts remains a legitimate service. However, user education remains paramount in preventing data leakage or compromises. By raising awareness about the tactics used by cybercriminals and promoting good cybersecurity practices, individuals and organizations can better protect themselves from falling victim to these phishing pages.

This article is in no way intended to be a criticism of Formcraft, on the contrary it is intended to highlight how a legitimate service can be abused and therefore make users aware of these techniques so that they can protect themselves accordingly.

References:

--

--

No responses yet