Because the links are to /forms-and they say “Google Forms” at the bottom, as well as warning “Never submit passwords through Google Forms”-they are easily distinguished as scams. In both cases, any data entered into these forms gets stored in a Google Sheets document, ready for export by the phishing campaign operator. The phishing page behind the link is similarly bare-bones: This email targeted and Hotmail users:Ĭlicking on the “update now” link leads to this Google Form:Ī similar recent spam campaign targets Office 365 users with a very bare-bones lure: The spam claimed that recipients’ email accounts were about to be shut down if they were not immediately verified, and offered a link to perform that verification-a Google Forms link, leading to a form decorated with Microsoft graphics but still clearly a Google Form. But Sophos has intercepted a number of spam-based phishing campaigns that targeted Microsoft online accounts, including Office 365, with the barest of efforts. One of the largest sources of Google Forms links in spam were “unsubscribe” links in scam marketing emails. But entry-level scammers can and do use Google Forms’ ready-made design templates to attempt to steal payment data through faked “secure” e-commerce pages, or create phishing forms that are believable if not examined too closely. Most sophisticated web phishing attacks use HTML that closely mimics the design of the sites of the services they target. For the purposes of demonstration, we reproduced the exfiltration capability in a Python script using crafted web requests to push system data to a Google spreadsheet through Forms for aggregation. And then there were a few examples of malicious Windows applications that used web requests to Google Forms pages to exfiltrate data from computers. We also uncovered a number of malicious Android applications that made use of Google Forms for user interface elements (though not for malicious purposes). Often these forms were tied to malicious spam campaigns. In some cases, Google Forms were used in rudimentary phishing attacks, attempting to convince victims to enter their credentials into a form designed to look somewhat like a login page (despite Google Forms’ text on every form warning users not to enter passwords into them). Google Forms abuse comes in a variety of forms. Since Google Forms are protected by TLS, the contents of data submitted to forms can’t be checked without the use of a web proxy, and the traffic otherwise looks like legitimate communications to a Google application. In each case, malicious actors use the web-based interfaces of the service to either retrieve stored binaries, retrieve specific data that affects their performance, report results of execution or exfiltrate data from infected systems. We’ve seen malware use Google Docs and Google Sheets as part of their infection chain and command and control systems in the past, much in the same way they make use of services like GitHub, Pastebin, Telegram and Discord. The abuse of legitimate public cloud services by malware is nothing new. Among the destinations we found in telemetry were a host of Google Forms pages. SpreadsheetApp.getUi().showModalDialog( htmlOutput, `openUrl function in generic.gs is now opening a URL.Earlier this year as we researched malware use of Transport Layer Security-based communications to conceal command and control traffic and downloads, we found a disproportionate amount of traffic going to Google cloud services. Var htmlOutput = HtmlService.createHtmlOutput(html).setWidth( 250 ).setHeight( 300 ) Var html = HtmlService.createHtmlOutput('' This function opens a URL without requiring additional user interaction.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |