SophosLabs Reveals: How Cyber Scammers Use Google Forms. Phishing and malware often pave the way for ransomware or data theft. The latest analysis by SophosLabs shows how the fraudsters use Google Forms for their own purposes.
Sophos has published a new analysis report entitled “Phishing and Malware Actors Abuse Google Forms for Credentials, Data Exfiltration” that deals with the misuse of Google Forms by cyber criminals.
Google Forms makes it easy for cyber criminals
"The extent to which attackers are using Google Forms for themselves came to light when we looked at how malware misused encryption to hide activity and communications," said Sean Gallagher, senior threat researcher at Sophos. “Google Forms makes it particularly easy for cyber criminals: the forms are easy to implement and trustworthy, both for the organization and for the consumer. The data stream to and from the service is protected by Transport Layer Security (TLS) encryption so that it is not so easily inspected by defenders. The whole set-up essentially includes a free attack infrastructure. "
The analysis shows that the most common misuse of Google Forms takes place in the areas of phishing and fraud, which requires little qualification. However, there are increasing signs that attackers are using the platform for more complex attacks. In the examples, the criminals used Google Forms for data exfiltration and malware command-and-control.
Seven Types of Google Forms Criminal Use
1. Phishing:
Google warns users on every page of Forms not to reveal password details. Nevertheless, the Sophos experts found various examples in which attackers tried to trick potential victims into entering their personal access data in a fake Google form. These are often linked to malicious spam campaigns.
2. Malicious spam campaigns
One of the largest sources of these phishing links in spam was "unsubscribe" links in fraudulent marketing emails. Sophos intercepted a number of these phishing campaigns targeting Microsoft online accounts, including Office365. The spam stated that the recipient's email accounts would be closed if they did not verify them immediately. A fake link was also sent, which was provided with Microsoft graphics, but which was clearly not a real Google form.
3. Theft of payment cards
Entry-level scammers like to use pre-made Google Forms design templates to steal card payment data using fake and seemingly secure ecommerce sites.
4. PUAs (Potentially Unwanted Applications), such as advertising software
Windows users in particular are often affected. These applications secretly use Google Forms pages, while the web requests are collected and automatically forwarded to the forms - user interaction is not necessary.
5. Fake user interface for malicious Android apps
Sophos discovered some malicious Android applications that use Google Forms to collect data without programming a backend website. Most of these apps were advertising software or PUAs, including SnapTube, a video app that generates revenue for developers via advertising fraud and that includes a Google rating form page.
6. Erasure of data
The analysts uncovered a number of even more sophisticated threats that Google Forms is using. These include, for example, malicious Windows applications that use web requests to Google Forms to “push” stolen computer data into a Google spreadsheet.
7. Part of a larger, malicious cyberattack infrastructure
Sophos has discovered a number of PowerShell scripts that interact with Google Forms. The experts were then able to simulate how a PowerShell script can be used to collect Windows profile data from a PC and automatically insert it into a Google form.
Don't blindly trust doc.google.com
Sean Gallagher also recommends, “Google often closes accounts associated with mass application abuse, including Google Forms. A rarer but targeted use of Google Forms by malware could, however, go undetected. Users should therefore pay attention if they discover links to Google forms or other apparently legitimate links for authorization approval and not blindly trust TLS traffic to apparently known domains such as doc.google.com. "
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.