Google Forms is fast becoming a favorite tool for cybercriminals

By Mayank Sharma
published

Experienced attackers use Google Forms to complement their attack infrastructure

security
(Image credit: Shutterstock)
Audio player loading…

Cybersecurity (opens in new tab) researchers have identified over half a dozen ways in which cyber scammers and malware (opens in new tab) operators abuse Google Forms (opens in new tab), as part of a wide range of attacks.

The researchers at Sophos (opens in new tab) discovered cybercriminals’ affinity for Google Forms while researching how malware operators were evading detection by increasingly adopting encrypted communication protocols.

“Our analysis shows that while most abuse of Google Forms by cyberattackers remains firmly in the low-skill phishing (opens in new tab) and fraud spam space, there are increasing signs that adversaries are taking advantage of the platform for more sophisticated attacks,” shared Sean Gallagher, senior threat researcher at Sophos. 

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window (opens in new tab) <<

Gallagher adds that they have in fact spotted threat actors using Google Forms for everything from helping exfiltrate data to using it to host a malware command and control (C2) server.

Use and scoot

Sophos has identified (opens in new tab) seven malicious ways threat actors use Google Forms to conduct their spiteful activities. 

In addition to its use to facilitate traditional phishing campaigns, entry-level scammers use the online survey administration software’s ready-made design templates to craft fake e-commerce pages to steal payment details.

“Google Forms offer cyberattackers an attractive proposition: the forms are easy to implement and trusted by both organizations and consumers; the traffic to and from the service is secured with Transport Layer Security (TLS) encryption so it can’t be easily inspected by defenders; and the whole set up essentially provides a free attack infrastructure,” reasons Gallagher.

The researchers add that it appears the attackers are conscious of Google’s policy of shuttering accounts that abuse its apps, including Google Forms, on a mass scale. The researchers observed that the low-volume, targeted use of the service helps the abuse fly under the radar, and evade detection.

Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

See more Computing news