What is not to love about a free and trusted platform they can use to quickly create phishing and malware traps?
From entry-level scammers to advanced adversaries—bad actors routinely abuse Google Forms to implement a wide range of attacks, targeting both organizations and individuals.
According to Sophos researchers, Google Forms offer cyberattackers an attractive proposition: the forms are easy to implement and trusted by both organizations and consumers; the traffic to and from the service is secured with Transport Layer Security (TLS) encryption so it cannot be easily inspected by defenders; and the whole set up essentially provides a free attack infrastructure
Commenting on this, one of the firm’s senior threat researchers, Sean Gallagher, said: “The extent to which cyberattackers abuse Google Forms came to light while we were researching how malware abuses encryption to conceal its activities and communications,” and noted the seven methods commonly used:
- Phishing: Despite the fact that Google warns users on every page of a form not to enter password details, Sophos found several examples where attackers tried to convince potential victims to enter their credentials into a Google Form laid out to resemble a login page. These forms were often tied to malicious spam campaigns.
- Malicious spam campaigns: One of the largest sources of Google Forms links in spam were “unsubscribe” links in scam-related marketing emails. Sophos has intercepted a number of spam-based phishing campaigns that targeted Microsoft online accounts, including Office365. The spam claimed that recipients’ email accounts were about to be shut down if they were not immediately verified, and offered a link to a Google Form that asked the user to enter their Microsoft credentials. These Google Forms pages were decorated with Microsoft graphics but, were still clearly a Google Form.
- Payment card data theft: Entry-level scammers use Google Forms’ ready-made design templates to attempt to steal payment data through faked ‘secure’ e-commerce pages.
- Potentially Unwanted Applications (PUAs): The researchers discovered a number of PUAs and adware targeting Windows users. These apps use Google Forms pages surreptitiously, with the web requests collected and submitted to forms automatically without any need for user interaction.
- Fake user interfaces for malicious Android apps: Sophos found some malicious Android applications that made use of Google Forms to capture data without having to code a back-end website. Most of these were adware or PUAs. For instance, the researchers found SnapTube, a video app that generates revenue for the developer through web advertising fraud and which includes a Google Forms page for user feedback.
- Data removal: Researchers uncovered a number of more sophisticated threats including malicious Windows applications that used web requests to Google Forms pages to ‘push’ stolen data from computers to a Google Sheets via Google Forms.
- Part of the wider malicious cyberattack infrastructure: A number of PowerShell scripts interacting with Google Forms could be used to scrape Windows profiling data from a computer and submit it to a Google Forms form automatically.
The firm reminds readers to install a security solution on devices that they and their families use for online communications and gaming.