Tax Phish Swims Past Google Workspace Email Security

tax phish

Crooks are looking to harvest email credentials with a savvy campaign that uses the Typeform service to host the phishing page.

A W2 tax email scam is circulating in the U.S. using Typeform, a popular software that specializes in online surveys and form building. The campaign is aimed at harvesting victims’ email account credentials, researchers said.

According to Armorblox, the campaign also bypasses native Google Workspace email security filters in the victims it examined.

“The email impersonated an automated file-sharing communication from OneDrive, informing victims that they had received a file,” researchers explained in an analysis on Tuesday. “The email was sent from a Hotmail ID and was titled ‘RE: Home Loan,’ followed by a reference number and the date, making it seem like the email was part of an ongoing conversation to lend it more legitimacy.”

The links included in the emails purport to lead to a document called “2020_TaxReturn&W2.pdf,” researchers found. Instead, the links take users to a Typeform page where victims are asked to enter their email account credentials before being granted access to the file.

However, entering email account information into the form only returns error messages. After several attempts, the campaign surfaces a message saying that “the document is secured” and that the user’s identity could not be verified.

“It’s likely that the error messages could be a smokescreen for the attackers to gather as many account ID and password combinations as unsuspecting victims are willing to enter in an attempt to brute-force their way to gain access to the W2,” according to Armorblox. “In reality, there is no W2 pot of gold at the end of this malicious rainbow.”

Evading Google Workspace Email Filters

Researchers said that one of the most notable aspects of the campaign is its ability to skirt around email defenses, including native Google Workspace email security

One of the ways it does that is by sending the emails from a newly created Hotmail domain. This has the effect of helping mails get by email authentication checks like DMARC, DKIM and SPF, which look for spoofed email addresses, among other things.

“Attackers often send emails from newly created Gmail, Yahoo, and Hotmail IDs to circumvent any filters and blocklists in place that block known low reputation domains,” Armorblox researchers explained.

Also, using Typeform to host the phishing page means that filters won’t clock the links as malicious since it’s a trusted application. Other phishing attacks have been observed exploiting Box, Google Firebase, Google Forms and Webflow in a similar manner.

“Free online services like Typeform make our lives easier, but unfortunately also lower the bar for cybercriminals to launch successful phishing attacks,” researchers said.

The campaign also employed a number of techniques on the social-engineering front to pass the eye tests of unsuspecting end users, according to the analysis.

“The email title, content and context aimed to induce a sense of fear and urgency in the victims. By using tax and deadline-related anxieties that beset the best of us, attackers hope that victims click before they think,” researchers explained.

They added, “The email includes a link that says ‘Learn about messages protected by Office 365’ that leads to a real Microsoft-hosted page with security information. Attackers often include such signifiers in emails to lull victims into a false sense of security (no pun intended).”

And finally, the campaign replicates existing workflows by pretending to be automated file-sharing messages from OneDrive.

“We get tons of such emails everyday informing us that someone has shared files with us, someone has replied to our message, someone has commented on a document and so on,” according to Armorblox. “When we see emails that seem similar (at first glance) to known email workflows, our brains tend to employ System 1 thinking and take quick action.”

How to Avoid Phishing Attacks

“Employees continue to fall for these scams because the emails are so authentic-looking, and it is difficult to tell the difference from the real thing,” Joseph Carson, chief security scientist at Thycotic, told Threatpost.

Thus, a front line of defense is to develop better cybersecurity hygiene by educating employees on ways to detect email scams, he noted.

“If an email does make it into the inbox, then go to the website and call the number to check if it is authentic and do not call the number if provided within the email as, most likely, it is fake also,” he advised. “Check the email sender address and not the display name. Check the email for spelling mistakes. Check any hyperlink addresses by hovering over them to see where they send you. However, do not click on the links. Also check your personal details for accuracy. These simple tips will help employees avoid a potential cybersecurity nightmare for their organization.”

Hank Schless, senior manager of security solutions at Lookout, also cautions organizations to not forget about mobile device.

“Security teams should be protecting employees across all endpoints to ensure they don’t fall victim to a phishing attack or download a malicious attachment that compromises the organization,” told Threatpost. “These types of scams are most effective on mobile devices, and attackers know this. For that reason, they are creating targeted phishing campaigns to take advantage of the mobile interface that makes it hard to spot a malicious message.”

And finally, people shouldn’t assume that legitimate services equal a legitimate communication, according to Armorblox.

“This piece of advice is also difficult to enact in practice, given the crowded nature of our inboxes,” according to the analysis. “However, try to be skeptical by default of any form that asks for your login credentials, even if the form is built using a legitimate service like Google or Typeform. These services are as easily available to cybercriminals as they are to the rest of us.”

Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a FREE Threatpost event, “Underground Markets: A Tour of the Dark Economy.” Experts will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. Register here for the Wed., April 21 LIVE event. 



Suggested articles