Scammers Exploit Google Forms Quizzes for Fraudulent Activities

The cybersecurity community is sounding the alarm about a surge in cryptocurrency-related spam and scam activities exploiting Google Forms’ "Release scores" feature. This cunning method involves tricking victims into investing in cryptocurrencies or divulging personal information.

How the Scam Operates

Cisco Talos has uncovered that fraudsters are misusing Google Forms by creating quizzes and then using victims’ email addresses to submit responses. Once a form is submitted, the scammers can view the responses and trigger the "Release scores" feature of Google Forms.

This action allows them to send personalized emails from a Google account address, thereby boosting the likelihood of these messages landing in victims' inboxes, as they seemingly originate from Google’s trusted servers.

An Example of the Scam in Action

In a recent campaign identified by researchers, victims received an email with the subject "Score released: Balance 1.3320 BTC." When users clicked on the 'View' button in the email, they were redirected to a counterfeit Google Forms response page, prompting them to confirm their email addresses. This led them to an external website that falsely informed them about an active account containing Bitcoins valued over $46,000.

To add credibility, the scam involved a live chat support feature, where victims were asked to provide their names and email addresses. In the final stage, victims were instructed to pay a nominal 'exchange fee' of 0.25% (about $64) by scanning a QR code to access the supposed Bitcoin amount.

Exploitation of Google Features

This latest scam incident comes shortly after Google issued a warning about attackers leveraging its Calendar service to establish command and control (C2) infrastructure. The attackers utilized a tool known as Google Calendar RAT, first uploaded to GitHub in June, to use Google Calendar event descriptions to create a hidden communication channel.

Key Takeaways

The sophistication and careful planning of this spam attack underscore the extreme lengths cybercriminals will go to for exploiting individuals’ personal data and extracting money. As such scams continue to surface, it is crucial for organizations to stay vigilant, regularly update themselves on Indicators of Compromise (IoCs), and proactively block any suspicious or malicious indicators.