Recent email spam that has form submission details
This week, I've received two spam emails that reference form submissions on two different websites I manage. They are both obviously spam that are trying to get me to download a file. But here's the scary part - they include actual details from the original notification email from Formidable.
Example #1: a fake contact form test I completed on one site when it launched in January of last year. The spam email sent this morning had the subject line (with a RE: inserted before like it was coming from the recipient) exactly like it was in the legitimate email, and it ALSO had the entirety of the test message, using the tabular format that is default from Formidable for email notifications.
Example #2: a reply to a quote request on a completely different website form. The quote had the same subject line we use for email notifications, and included the name and email of the original legitimate recipient. This one did not, however, have the actual tabular details of the submission.
Both formidable entries are real, and do exist on their respective websites. At first I thought my email had been hacked. However, the 2nd example was never sent to my inbox - it was sent straight to the submitting visitor AND a sales rep. Then I thought the site was hacked - but I haven't found any evidence of intrusion(using paid/donate version of Anti-Malware from GOTMLS.NET).
The fact that it's over two completely different websites, but both related to the formidable plugin leads me to believe that it might be an issue with the plugin itself. There's very few places that a spammer could access those form submission details:
- Email account - but the two examples are sent to two separate email accounts.
- WP Core / Theme - no sign of intrusion after a scan, but not 100% conclusive. I maintain updates to Core, Plugins, and themes on a rolling monthly basis for the 70 or so sites that I manage (apart from WP security updates, those are done immediately), so a site is never more than 30 days out of date - but I guess there's potential for something to slip in there. One site is using WP twentythirteen, and one is using WP twentyseventeen.
- Plugin - Maybe something through the RestAPI, or something like that. No evidence of database injection. both on Pro version 3.0.6 (I do know there's an update, it's on schedule).
Has anyone else had similar issues, and / or can point me in the right direction in terms of finding the source? Obviously I'll be changing passwords, but these two spam emails that had accessed private information makes me really nervous.
I'll attach the "originals" for both emails for any sharp-eyed email experts.