Sophos identifies top ways in which cybercriminals abuse Google Forms

Sophos has identified top ways in which cybercriminals abuse Google Forms. The cybersecurity firm published research titled “Phishing and Malware Actors Abuse Google Forms for Credentials and Data Exfiltration,” which describes how cyberattackers – from entry-level scammers to advanced adversaries – use Google Forms to carry out a variety of attacks against both organisations and individuals.

“The extent to which cyberattackers abuse Google Forms came to light while we were researching how malware abuses encryption to conceal its activities and communications,” said Sean Gallagher, senior threat researcher at Sophos.

Further said, “Google Forms offer cyberattackers an attractive proposition: the forms are easy to implement and trusted by both organizations and consumers; the traffic to and from the service is secured with Transport Layer Security (TLS) encryption so it can’t be easily inspected by defenders; and the whole set up essentially provides a free attack infrastructure.

 “Our analysis shows that while most abuse of Google Forms by cyberattackers remains firmly in the low-skill phishing and fraud spam space, there are increasing signs that adversaries are taking advantage of the platform for more sophisticated attacks. Sophos’ examples of this include attackers using Google Formsto exfiltrate data and for malware command-and-control.”

Sophos researchers have discovered seven ways that cyberscammers and malware operators are abusing Google Forms:

1. Phishing:Despite the fact that Google warns users not to submit password details on every page of a form, Sophos discovered many instances where attackers attempted to persuade potential victims to enter their credentials into a Google Form designed to look like a login page. These forms were frequently linked to spam campaigns that were malicious.
2. Malicious spam campaigns: “Unsubscribe” links in scam-related marketing emails were one of the most common sources of Google Forms links in spam. A number of spam-based phising efforts targeting Microsoft online accounts, including Office365, have been intercepted by Sophos. The spam claimed that if recipients’ email accounts were not promptly validated, they would be shut down, and provided a link to a Google Form where users could enter their Microsoft credentials. These Google Forms pages had Microsoft images on them, but they were still plainly Google Forms.
3. Payment card data theft: Scammers at the entry level utilise Google Forms’ ready-made design templates to steal payment information via phoney “safe” e-commerce pages.
4. Potentially Unwanted Applications (PUAs), such as adware:A number of PUAs aimed at Windows users were uncovered by the researchers. These apps use Google Forms pages invisibly, collecting web requests and automatically submitting them to forms without the need for user participation.
5. Fake user interfaces for malicious Android apps: Sophos discovered certain malicious Android apps that used Google Forms to collect data without requiring the development of a back-end website. The majority of these were either adware or PUAs. The researchers discovered, for example, “SnapTube,” a video software that makes cash for the developer through web advertising fraud and includes a Google Forms page for user feedback.
6. Data removal: Researchers discovered a number of more sophisticated malware that took use of Google Forms. Malicious Windows programmes exploited web requests to Google Forms pages to ‘push’ stolen data from machines to a Google spreadsheet using Google Forms.
7. Part of the wider malicious cyberattack infrastructure:A number of PowerShell scripts interacting with Google Forms have been spotted by Sophos telemetry. We were able to demonstrate how PowerShell scripts might be used to automatically collect Windows profile data from a PC and send it to a Google Forms form.

“Google frequently shuts down accounts associated with a mass abuse of applications, including Google Forms,” said Gallagher.

Also explained, “However, the kind of low-volume, targeted use of Forms by some malware could stay under the radar. Business defenders need to be alert to this threat and apply caution whenever they see links to Google Forms, or any other legitimate services trying to obtain credentials, and they should not inherently trust TLS traffic to ‘known good’ domains such as docs.google.com.”

Sophos technologies, such as Intercept X for endpoints, protect against the majority of malicious spam that contains forms-based phishing attacks and detect the system information collecting practises outlined in the current study.

To protect themselves and their family from malware and cyberthreats, Sophos recommends installing a security solution, such as Sophos Home, on the devices they and their families use for online conversations and games.