This sneaky malware hijacks Google Forms to demand money in nasty phishing scheme

(Image credit: solarseven / Shutterstock)

A new version of BazarCall, a phishing attack designed to take money from victims, has been observed, this time hijacking Google Forms to generate fake payment receipts in order to make malicious phishing attacks look more legitimate.

The attack gets its name from the way it manipulates victims to engage with the threat actor, sometimes by means of phone call.

The alert, raised by Abnormal Security, reveals the latest wave of BazarCall attacks after they first became popular in 2020.

Watch out for that strange receipt

The campaign begins with a phishing email that looks like a receipt for a payment or subscription. Abnormal Security says that supposed charges range from $49.99 to over $500 – pretty significant amounts that are designed to raise alarm bells for victims.

The group has been observed impersonating dozens of high-profile companies, including Netflix, Hulu, Disney+, McAfee, and Norton.

The sense of urgency pushed onto the victim then pressures them into calling a number displayed in the email to dispute the charge.

The attacker uses Google Forms to create a fake invoice, using details like invoice numbers, payment methods, and the product or service. They then enter the victim’s email address into one of the fields which prompts a receipt to be sent to the victim.

This way, the email comes from a domain, helping to evade detection by improving the sense of legitimacy.

The goal is for the group to gain access to an organization’s assets by tricking the recipient into installing malware.

Abnormal Security says that legacy security tools like secure email gateways are no longer capable of keeping up with these more advanced attack methods. With it being 2023, it should come as no surprise that artificial intelligence is being suggested as the solution.

The company says that AI-native solutions would be able to use ML to identify this email as an attack. Clearly, more creative and novel attacks are demanding a revised approach to security as we know it today.

A Google spokesperson told TechRadar Pro in an email: "Workspace has numerous layers of defenses to keep users safe. We are aware of the recent phishing attacks using Forms, and while they appear to be isolated to a small number of users, we are working to improve detection."

They added that protecting users from malware and other malicious behavior is a top priority for the company, which has been using ML to detect and block phishing attacks.

More from TechRadar Pro

Craig Hale

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!