Phishers survey new tactic: Google Forms

By incorporating a widely used survey tool, phishers have found another inventive way to get past email security gateways: Google Forms.

“From an attacker’s perspective, the effective part is [that] I can pretty much craft it and customize it, because it’s Google, and nobody’s blocking Google in their environment,” Mike Britton, chief information security officer at the email-protection provider Abnormal Security, told IT Brew.

In a Dec. 13 post, Britton described details of the attack method, involving a document and an old-fashioned call:

• For the social-engineering trigger, the phisher just sends one doc: A phony invoice receipt, made in Google Forms, with info like date of invoice, amounts owed, or subscription information.
• By enabling receipt response, the Form can then be sent to a targeted email address.
• The attacker does not use the survey to collect information; the phisher hopes that the target will call the phone number on the Form.
• Once the target dials the number, a human will try to convince the caller to give up personal information (like name, address, and credit card number) or even download malware onto their device.

“It’s about as close to zero-risk as I can get, because the initial attack is not breaking into anybody’s environment. It’s fairly benign, and it costs me next to nothing,” Britton said.

The FBI has noticed a trend in callback phishing—a social-engineering attack that uses real human beings to interact between threat actor and target, and to ultimately convince end-users to download malware or offer up remote access.

Drew Rose, CSO and founder of the risk-management-platform provider Living Security, has also seen a rise in callback phishing, as well as an increase in “multi-pronged social engineering attacks” that begin over email, text, and even job sites where a phony recruiter makes an enticing offer.

“Boom. In five minutes, I have all this person’s personally identifiable information because of a fake job opportunity,” Rose told IT Brew in November.

A statement from Google, shared by Ross Richendrfer, head of security and privacy PR at Google Workspace on Dec. 19, read: “Workspace has numerous layers of defenses to keep users safe. We are aware of the recent phishing attacks using Forms, and while they appear to be isolated to a small number of users, we are working to improve detection.” Richendrfer also shared that the company uses “ML models to detect and block phishing attacks” when Forms are passed along.

Old-style email attacks relied on malicious URLs—the kinds of features that email security defenses can be configured to detect. Britton has seen a shift from attackers to try and avoid technology altogether and get one-on-one time with their targets.

“We’ve seen a large shift to more social engineering, because at the end of the day, there’s no technology, there’s nothing that’s going to fix bad human judgment, or the brain getting hijacked on the sense of urgency,” Britton said.