A sneaky phishing scam, similar to other Google Docs scams that have been circulating for years, is profiting from a revival. Once more, cybercriminals are misusing the trust people have in the google.com domain to lure them into giving up their password and login credentials via a genuine looking Google Form.
Google Forms Used for Phishing Scams
Google Forms is a well-known and popular survey tool. Many companies and organizations use the online forms to collect information from clients or users. The app is included in the Google Docs Editors software suite, along with Google Docs, Sheets and Slides.
From a cybercriminal’s perspective, Google Forms are a desirable instrument for phishing attacks. They are easy to produce. Google Forms are hosted under the trustworthy Google domain. The forms look familiar. And it’s quite common to receive surveys from known brands. As a result, many people enter their credentials when prompted, without a second thought.
Security researchers at Zimperium, a privately owned mobile security firm based in the US, published a report yesterday which reveals how scammers have used a total of 265 Google Forms, impersonating more than 25 brands, companies and government agencies. According to their research, the number of phishing websites using https traffic has increased from 12% to 60% since early 2019.
The 25 Organizations Scammers Tend to Impersonate
Zimperium’s report points out various brands scammers tend to impersonate. More than 70% of scams are connected to the AT&T brand name or to AT&T and Yahoo together. The full list of targeted companies, brands and government agencies includes organizations from all over the world and across different industries.
Besides AT&T and Yahoo, these are the brand names scammers use: AOL, Binance, BT Group, Capital One, Citibank, the European Union (Foreign Direct Investments), GESupplier.com, Google Docs, the IRS, the Mexican Government, Microsoft OneDrive, Microsoft Outlook, Oca Card, Office 365, Pôle emploi, SBC, Sir, Sky-TATA, Swisscom, T-Mobile, Trust Wallet, Web.de, Wells Fargo and Zimbra.
Most of the time cybercriminals use the company’s logo and branding to appear more legitimate. Google Forms of course also provide a valid SSL certificate, which never fails to pass a security test. Moreover, a whitelisted google.com domain won’t trigger a fraudulent site warning. Therefore, it is really up to the individual to detect malicious intent.
“Never submit passwords through Google Forms”
Every Google Form created automatically displays a firm warning on the bottom of each page. The warning says: “Never submit passwords through Google Forms”. When prompted to enter a password, this might be a first sign something is amiss. Of course, no company would ever ask a user to login via a Google Form. So, if the Form straight away prompts the user to login, that should be an immediate red flag.
Other details more security aware users may spot are unusual differences between the phishing form and the company’s usual wording, or password fields not being hidden by asterisks. In some cases, text is replaced with an image to avoid detection by automatic detection tools.
Unfortunately, most average users don’t pay attention to these details. And sadly, it’s these average users that cybercriminals target. One of the authors of the report added in an interview with Forbes that “it’s likely the attacker’s used prior data breaches to get contact information. This could also explain the distribution of targeted brands by these forms.”