Cyber criminals exploit Formcrafts to craft phishing pages
Over the past seven years, cybercriminals have used the Formcrafts online service to craft phishing pages with the intent of stealing credentials, banking information, and other sensitive data
Introduction
Since at least 2017, threat actors have been illicitly utilizing the Formcrafts’ legitimate services to generate online forms for the creation of their malicious phishing pages.
This article will delve into the mechanics of Formcrafts and examine how cybercriminals have utilized it for malicious ends throughout the years.
What is Formcrafts?
FormCrafts is a user-friendly online form builder that allows you to create functional forms for your website or application. It is a drag-and-drop tool, so you don’t need any coding experience to use it.
The interface makes building a wide range of forms, from simple contact forms to complex surveys and payment gateways, a breeze.
You can easily sign up for a free account on their website and play with it:
Link: https://formcrafts.com/
Create a form
Once registered, you have the option to create a form either from scratch or by utilizing the templates provided on the site:
Once the form is created, you can easily publish it with just a simple click, making it accessible to everyone. Later, you can embed it in an email, getting the user to enter their details.
Formcraft provides different fields that you can add to your form. All fields can be customized with the type of data you expect the user to enter such as email, username, password and credit card number.
Additionally, you can configure a secondary courtesy page to display once the form has been filled out and submitted.
This type of customization combined with the possibility of adding images to your page thus mimicking the original one makes it a perfect tool for the cyber criminals.
Email notification
As additional feature you can configure email notifications to receive updates every time a user fills out the form. This allows you to stay informed about who is entering the data and when:
IP geolocation restriction
Another default and free-of-charge feature is the ability to restrict the display of the form to specific countries. This functionality can be advantageous for cybercriminals aiming to target users in particular geographical areas, thereby evading detection by standard cybersecurity solutions and analysts:
Statistics and Analytics
You can monitor the status of your forms along with their corresponding statistics directly from the main page:
Clear text responses
A primary exploited feature of this product is its capability to access all cleartext responses submitted by users. For instance, if a deceptive form prompts users to enter their credentials or bank details, the Threat Actor managing the form can readily view the passwords or bank codes / credit card numbers:
Another feature susceptible to abuse by cybercriminals is the capability to prompt users to upload documents. For instance, in a cyber espionage campaign, a criminal group might find it advantageous to gather CVs or ID documents from targeted users. In such instances, they could include in the form a mandatory field requesting document uploads, compelling users to submit the requested files.
How Cyber Criminals are (ab)using it?
Cybercriminals have transformed this service into a Phishing-as-a-Service platform, leveraging it to orchestrate their phishing campaigns through custom-created form pages. Over the years, numerous brands have been exploited as lures on these phishing pages.
With its features, Formcraft facilitates monitoring of link clicks and form submissions, offering clear visibility into user interactions. Remarkably, these functionalities are accessible with a free account, easily created using a temporary email address.
To track down phishing pages that have exploited Formcrafts, you can refer to this list:
page.url:”formcrafts.com/a/*”
https://urlscan.io/search/#page.url%3A%22formcrafts.com%2Fa%2F*%22
In recent years, cybercriminals have utilized Formcrafts to fabricate phishing pages, employing various brands as bait to gather credentials, personal information, or bank account details. Below are some concrete examples:
Webmail
Cybercriminals have utilized generic webmail forms as bait against their targets:
Examples:
https://urlscan.io/result/c4cbfa55-df44-4e46-8603-f7398fea9008/
https://urlscan.io/result/772cc777-dba7-462f-84db-74c087dd75f3/
https://urlscan.io/result/47f80968-16c3-4f13-902d-879c76a4dd18/
https://urlscan.io/result/48cf9686-13f2-4bec-b15f-eed6e515afca/
https://urlscan.io/result/5d0bb577-1e92-405e-aa36-86c5dead7768/
Microsoft
Microsoft is one of the most abused brand:
Examples:
https://urlscan.io/result/81d4560e-f4ff-4c9a-9a87-fd23abdecc85/
https://urlscan.io/result/bacd6aa8-4743-43a9-b287-fe55227c262b/
https://urlscan.io/result/fdc8bdfd-ff91-4dfa-8720-3ebaa57bc604/
https://urlscan.io/result/1217ce93-5ee7-4f87-af96-066561937957/
https://urlscan.io/result/3584402a-0e53-44e3-b8c4-8ed7493500bd/
https://urlscan.io/result/1ff06e19-05e2-4134-902b-aeb6350b745b/
https://urlscan.io/result/be06d0a4-3061-459a-b697-20c938b61153/
https://urlscan.io/result/7b97b9da-6b7e-4f90-ae33-404fbe663d75/
https://urlscan.io/result/393319f3-d90b-4273-8cbe-ea5675c12797/
https://urlscan.io/result/90627833-3a00-46ef-8cdf-e7fcb390f379/
https://urlscan.io/result/da1726f9-a557-4cbc-983d-73fb1dd23f14/
https://urlscan.io/result/884ffdea-cee9-437d-99e6-f9dd8f360c5c/
Telco:
Phishing campaigns leveraging the brands of telecommunication companies have also been observed:
Links:
https://urlscan.io/result/3a5c2dc6-9d57-445b-9f98-ec6783168650/
https://urlscan.io/result/b10a4351-ee0f-469a-b28f-1fd4bc8b019f/
https://urlscan.io/result/1efca388-91d4-4da1-abc4-666840d0c044/
University:
Also interesting to note the following phishing pages that specifically targeted universities:
Links:
https://urlscan.io/result/a5c2bc7d-2bbb-4416-9975-89f296fb7400/
https://urlscan.io/result/1b6458dd-7667-45f5-8658-2afacedd1961/
https://urlscan.io/result/9ee9d846-2d3d-4488-a864-2bd6c5047ed7/
Banking info
Below is an example aimed at stealing credentials and credit card data:
Fake file hosting
Below you can see a case where the attackers used Formcraft to create a fake page for downloading a file which is then redirected to another page hosting the real phishing:
Conclusion
Formcrafts has been observed as one of the tool for cybercriminals seeking to orchestrate phishing attacks. Despite its legitimate purpose as a user-friendly form builder, its ease of use and customizable features have been exploited to craft convincing phishing pages, targeting users with the intent of stealing sensitive information.
Countering this threat proves challenging, as Formcrafts remains a legitimate service. However, user education remains paramount in preventing data leakage or compromises. By raising awareness about the tactics used by cybercriminals and promoting good cybersecurity practices, individuals and organizations can better protect themselves from falling victim to these phishing pages.
This article is in no way intended to be a criticism of Formcraft, on the contrary it is intended to highlight how a legitimate service can be abused and therefore make users aware of these techniques so that they can protect themselves accordingly.
