Scammers Exploit Google Forms Quizzes for Fraudulent Activities
The Talos Intelligence blog by Cisco has exposed an intricate spam exploit that utilizes the quiz results feature of Google Forms to subtly collect email addresses through a quiz template. This method allows the spammer to take advantage of Google's infrastructure to send out phishing emails, thereby evading spam filters until Google rectifies this approach. This tactic eventually leads to victims falling for a complicated cryptocurrency scam.
The cybersecurity community is sounding the alarm about a surge in cryptocurrency-related spam and scam activities exploiting Google Forms’ "Release scores" feature. This cunning method involves tricking victims into investing in cryptocurrencies or divulging personal information.
How the Scam Operates
Cisco Talos has uncovered that fraudsters are misusing Google Forms by creating quizzes and then using victims’ email addresses to submit responses. Once a form is submitted, the scammers can view the responses and trigger the "Release scores" feature of Google Forms.
This action allows them to send personalized emails from a Google account address, thereby boosting the likelihood of these messages landing in victims' inboxes, as they seemingly originate from Google’s trusted servers.
An Example of the Scam in Action
In a recent campaign identified by researchers, victims received an email with the subject "Score released: Balance 1.3320 BTC." When users clicked on the 'View' button in the email, they were redirected to a counterfeit Google Forms response page, prompting them to confirm their email addresses. This led them to an external website that falsely informed them about an active account containing Bitcoins valued over $46,000.
To add credibility, the scam involved a live chat support feature, where victims were asked to provide their names and email addresses. In the final stage, victims were instructed to pay a nominal 'exchange fee' of 0.25% (about $64) by scanning a QR code to access the supposed Bitcoin amount.
Exploitation of Google Features
This latest scam incident comes shortly after Google issued a warning about attackers leveraging its Calendar service to establish command and control (C2) infrastructure. The attackers utilized a tool known as Google Calendar RAT, first uploaded to GitHub in June, to use Google Calendar event descriptions to create a hidden communication channel.
Key Takeaways
The sophistication and careful planning of this spam attack underscore the extreme lengths cybercriminals will go to for exploiting individuals’ personal data and extracting money. As such scams continue to surface, it is crucial for organizations to stay vigilant, regularly update themselves on Indicators of Compromise (IoCs), and proactively block any suspicious or malicious indicators.