The notorious BazaCall phishing attacks, known for their deceitful tactics, have taken on a new guise, leveraging Google Forms to add a layer of credibility to their schemes.
Cybersecurity experts unveiled this latest move by the threat actors behind BazaCall, highlighting their attempt to enhance the legitimacy of their initial malicious emails. These attacks, which began surfacing in late 2020, involve phishing emails masquerading as authentic subscription notices, urging recipients to contact a support desk to dispute or cancel the subscription, under threat of charges ranging from $50 to $500.
By manipulating urgency, these attackers coax targets into granting remote access during phone calls, using supposed support offers to cancel the fictitious subscriptions. Popular services like Netflix, Hulu, Disney+, Masterclass, and others are frequently impersonated to carry out these deceptive campaigns.
In the recent variant spotted, Google Forms act as conduits for sharing subscription details. Notably, the forms enable response receipts, allowing the attacker to forward invitations to the victim to complete the form, subsequently receiving the responses.
Security researcher highlighted the attacker’s design, mentioning that the completed form appears as a Norton Antivirus payment confirmation, further deceiving the target. The utilization of Google Forms also cleverly utilizes a trusted domain in the form of “forms-receipts-noreply@google[.]com,” increasing the chances of bypassing secure email gateways. Additionally, the dynamic nature of Google Forms’ URLs evades traditional security measures relying on known patterns for threat identification.
This revelation emerges concurrently with Proofpoint’s disclosure of a new phishing campaign targeting recruiters. This campaign directs victims to a JavaScript backdoor named More_eggs and is attributed to a skilled, financially motivated threat actor known as TA4557. This actor, recognized for manipulating legitimate messaging services, entices victims with fake job offers, leading to the deployment of the More_eggs backdoor.
Proofpoint outlined the attack chain, describing how recipients replying to initial emails receive URLs leading to actor-controlled websites posing as candidate resumes or instructions to visit fake resume websites via PDF or Word attachments. More_eggs, a malware-as-a-service tool utilized by several cybercriminal groups, has previously been associated with operators from Montreal and Bucharest, as linked by eSentire earlier this year.
Users should scrutinize unexpected emails requesting urgent actions, especially related to subscriptions or financial matters. Verify requests independently via official website contacts instead of provided links. Employ email filters and educate teams on identifying phishing attempts, particularly those using seemingly reputable platforms like Google Forms.