A threat actor has been sending thousands of emails to organizations, in what researchers warn is a reconnaissance campaign to identify targets for a possible follow-up business-email-compromise (BEC) attack.
So far, researchers have observed thousands of messages being sent to companies since December 2020, predominantly delivered to retail, telecommunications, healthcare, energy and manufacturing sectors. Of note, the campaign leverages Google’s Forms survey tool. This use of Google Forms by cybercriminals is not new and is routinely observed in credential phishing campaigns to bypass email security content filters. However, in this attack, the use of Google Forms may also prompt an ongoing dialogue between the email recipient and the attacker – setting them up as a victim for a future BEC trap, researchers say.
“This hybrid campaign combines the benefits of scale and legitimacy by leveraging Google Services with social engineering attacks, more commonly associated with BEC,” according to Proofpoint researchers in a Wednesday analysis.
The messages contain unique names of C-level executives from the target organizations, indicating that the cybercriminals have done their homework when it comes to pinpointing victims. The messages themselves are “simple but convey a sense of urgency,” said researchers – they ask the victim if they have a “quick moment” to carry out a task, as the purported sender is supposedly heading into a meeting or too busy to handle the task themselves, and point to a link in the email.
This link leads the victim to a default, untitled form hosted on Google Forms’ infrastructure. Google Forms is a survey administration software that’s offered as part of Google’s Doc Editors suite. Strangely, the form in this campaign is blank, and merely says “Untitled Form” with an “Untitled Question.”
Researchers believe here that the primary goal is to elicit an email reply from the victim, to respond that the survey is broken or not what they expected. That can then set the ball rolling for further dialogue between the victim and attacker, setting the foundation for the future BEC attack.
“As a secondary goal, the form likely serves as a sensor to simply see if anyone fills out their form, functioning as a reconnaissance technique to weed out users who may be susceptible to clicking a suspicious link found in an email,” said researchers.
Despite this trick, the emails themselves have several red flags that may serve as dead giveaways to a suspicious email recipient. This includes erroneous spelling and grammar, with one message saying: “Are your schedule flexible to run a task for me now, =m heading into a meeting now can’t take calls or text messages just e=ail me back.”
Another giveaway is the bad actor’s email addresses used in this campaign, which in some cases appear to have no semblance of a legitimate email at all (fgtytgyg[@]gmail.com, for instance).
“We didn’t observe an established pattern across the spoofed emails; however, some of the addresses look like they were made with random keymashing while others incorporate common names/phrases,” Sherrod DeGrippo, senior director of threat research and detection at Proofpoint told Threatpost.
Researchers believe that this is just the start of a campaign – they say, attackers may be collecting reconnaissance to identify targets for undetermined follow-on threat activity.
“The tone of urgency in the emails is consistent with previous BEC actors, and therefore, we want to ensure security awareness of these attempts as an indication or warning to customers and the security community,” said researchers.
Attackers have previously leveraged Google services – including Google Forms – in various malicious ways. One phishing attack in November used Google Forms as a landing page to collect victims’ credentials, with the forms masquerading as login pages from more than 25 different companies, brands and government agencies. Another November campaign used a Google Form and an American Express logo to try and get victims to enter sensitive information. Also in November, scammers leveraged a legitimate Google Drive collaboration feature to trick users into clicking on malicious links.
“While social engineering is pervasive throughout email-borne attacks, it is employed differently in malware and credential phishing than in BEC campaigns,” said Proofpoint researchers. “In a malware campaign, social engineering is used in the initial email. Conversely, in BEC, social engineering is used throughout the lifecycle of the fraud. Although rare, we observe actors delivering malware after the exchange of benign messages.”
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!