Friday, November 15, 2024
HomeNewsCyber attackers abusing Google Forms — Cybersecurity expert

Cyber attackers abusing Google Forms — Cybersecurity expert

Google Forms offer cyberattackers an attractive proposition: the forms are easy to implement and trusted by both organisations and consumers, and a secured TLS encryption so it can’t be easily inspected by defenders, making it a free attack infrastructure. — AFP photo

KUCHING: Sophos, a global leader in next-generation cybersecurity, has published research, ‘Phishing and Malware Actors Abuse Google Forms for Credentials, Data Exfiltration’, describing how cyberattackers – from entry-level scammers to advanced adversaries – abuse Google Forms to implement a wide range of attacks, targeting both organisations and individuals.

“The extent to which cyberattackers abuse Google Forms came to light while we were researching how malware abuses encryption to conceal its activities and communications,” Sophos senior threat researcher Sean Gallagher said.

“Google Forms offer cyberattackers an attractive proposition: the forms are easy to implement and trusted by both organisations and consumers; the traffic to and from the service is secured with Transport Layer Security (TLS) encryption so it can’t be easily inspected by defenders; and the whole set up essentially provides a free attack infrastructure.

“Our analysis shows that while most abuse of Google Forms by cyberattackers remains firmly in the low-skill phishing and fraud spam space, there are increasing signs that adversaries are taking advantage of the platform for more sophisticated attacks.

“Sophos’ examples of this include attackers using Google Forms to exfiltrate data and for malware command-and-control.”

The following are the seven ways that Sophos researchers have identified cyberscammers and malware operators abusing Google Forms.

Despite the fact that Google warns users on every page of a form not to enter password details, Sophos found several examples where attackers tried to convince potential victims to enter their credentials into a Google Form laid out to resemble a login page. These forms were often tied to malicious spam campaigns.

It also pointed out that one of the largest sources of Google Forms links in spam were ‘unsubscribe’ links in scam-related marketing emails. Sophos has intercepted a number of spam-based phising campaigns that targeted Microsoft online accounts, including Office365. The spam claimed that recipients’ email accounts were about to be shut down if they were not immediately verified, and offered a link to a Google Form that asked the user to enter their Microsoft credentials. These Google Forms pages were decorated with Microsoft graphics but, still, clearly a Google Form.

Entry-level scammers also use Google Forms’ ready-made design templates to attempt to steal payment data through faked “secure” e-commerce pages.

Aside from that, the researchers discovered a number of PUAs targeting Windows users. These apps use Google Forms pages surreptitiously, with the web requests collected and submitted to forms automatically without any need for user interaction.

Sophos found some malicious Android applications that made use of Google Forms to capture data without having to code a back-end website. Most of these were adware or PUAs. For instance, the researchers found “SnapTube,” a video app that generates revenue for the developer through web advertising fraud and which includes a Google Forms page for user feedback.

The researchers uncovered a number of more sophisticated threats abusing Google Forms. This included malicious Windows applications that used web requests to Google Forms pages to ‘push’ stolen data from computers to a Google spreadheet via Google Forms.

Sophos telemetry has detected a number of PowerShell scripts interacting with Google Forms. Sophos was able to prototype how PowerShell scripts could be used to scrape Windows profiling data from a computer and submit it to a Google Forms form automatically.

“Google frequently shuts down accounts associated with a mass abuse of applications, including Google Forms. However, the kind of low-volume, targeted use of Forms by some malware could stay under the radar.

“Business defenders need to be alert to this threat and apply caution whenever they see links to Google Forms, or any other legitimate services trying to obtain credentials, and they should not inherently trust TLS traffic to ‘known good’ domains such as docs.google.com.”

Sophos products, including Intercept X for endpoints, defend against most malicious spam that carry forms-based phishing campaigns and detect the behaviors of system information collection discussed in the new research.

Sophos also advises consumers to install a security solution, such as Sophos Home, on the devices that they and their families use for online communications and gaming to protect everyone from malware and cyberthreats.






- Advertisment -

Most Popular

Recent Comments