Researchers are warning of phishing attacks that leverage Google Forms as a landing page to collect victims’ credentials. The forms masquerade as login pages from more than 25 different companies, brands and government agencies.
So far, 265 different Google Forms used in these attacks have been uncovered, which are likely sent to victims via email (using social engineering tactics). More than 70 percent of these forms purported to be from AT&T. However, other big brands – including financial orgs like Citibank and Capital One, collaboration apps like Microsoft OneDrive and Outlook, and government agencies like the Internal Revenue Service (IRS) and even the Mexican government – were also seen (a full list of impersonated brands is available here).
“According to our findings, the links remained active for several months after being added to public phishing databases,” according to Zimperium researchers in a Tuesday analysis. “All of the Google Forms were removed by Google after we reported it to them.”
Google Forms is a survey administration app – utilized for quizzes, RSVPs and otherwise – that are part of Google’s Docs Office Suite and Classroom. Many of the phishing Google Forms – like the AT&T form below – utilize the company’s brand, and tell users to “sign in” with their email and password, then to click “submit.”
Researchers said that cybercriminals’ use of Google Forms is clever from a phishing perspective, as they are easy to create and are hosted under the Google domain. The Google domain host gives victims the false sense that they are legitimate and avoids phishing detection tactics.
Google Forms also provide a valid SSL certificate, which can fool users who rely on the “secure” indication of the browsers. While this “secure” icon next to the URL gives users the impression that the page is not malicious, it merely shows that it is an encrypted HTTPS connection using a valid SSL certificate.
There are two red flags that pop up when a user is presented with a Google Form phishing page – first of all, though the impersonated brand is used, the forms can look strange and not like the legitimate page. For instance, the final button always said “Submit” (instead of the typical Login), and the default completion or message on all fields was “Your answer” (instead of “your username” and “your password”).
“There are several differences that will alert some experienced users, but lots of users will write their credentials on any form showing a company logo, unless the browser or a security tool warns them,” said researchers.
Second of all, Google Forms state automatically at the base of each form “never submit password via Google forms.” However, this is evidentially ignored by many victims, said researchers.
“This form wasn’t detected as phishing using most of the common industry techniques since it used a high-reputation domain, established several years ago and it used a valid SSL certificate,” said researchers.
With the ongoing pandemic, worries about cyberattackers leveraging various brands like Microsoft Teams, Zoom and Skype have been piqued. In May, a convincing campaign that impersonated notifications from Microsoft Teams in order to steal the Office 365 credentials of employees circulated, with two separate attacks that targeted as many as 50,000 different Teams users. Earlier in October, researchers warned of a phishing campaign that pretends to be an automated message from Microsoft Teams. In reality, the attack aims to steal Office 365 recipients’ login credentials.
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.