Cybercriminals Exploit Fake Google Forms to Steal User Credentials
A sophisticated phishing campaign has emerged, targeting job seekers by impersonating Google Forms to harvest Google account credentials. Attackers have registered a deceptive domain, forms.google.ss-o[.]com, closely resembling the legitimate forms.google.com. The inclusion of ss-o is a deliberate attempt to mimic single sign-on, an authentication method that allows users to access multiple applications with one set of credentials, thereby adding an air of legitimacy to the fraudulent site.
Victims receive phishing links through targeted emails or LinkedIn messages, directing them to a counterfeit Google Forms page. This page advertises a Customer Support Executive position, requesting applicants to provide their name, email, and a justification for their suitability for the role. The fake form replicates Google’s design elements, including official logos, color schemes, and the standard disclaimer stating, This content is neither created nor endorsed by Google.
Malwarebytes analysts identified this campaign during their investigation into job-themed phishing attacks, revealing the extent of this credential harvesting operation. The attackers have implemented redirect mechanisms to prevent security researchers from analyzing their infrastructure. When suspicious URLs are accessed, victims are redirected to local Google search pages, effectively concealing the malicious activity.
Technical Infrastructure Behind the Attack
The phishing crew deployed a file named generation_form.php on their domain to create personalized URLs for each victim. This script generates unique links that track individual targets, enhancing the effectiveness of the phishing attempt.
When victims click the Sign in button on the fake form, they are redirected to id-v4[.]com/generation.php, a domain that has been associated with phishing campaigns for nearly a year. This redirection facilitates the collection of login credentials, which can then be exploited for unauthorized access to victims’ accounts.
Protective Measures
To safeguard against such phishing attacks, consider the following measures:
– Exercise Caution with Unsolicited Job Offers: Avoid clicking on links in unsolicited job offers, regardless of their apparent legitimacy.
– Utilize Password Managers: Password managers can prevent credential autofill on fraudulent websites, reducing the risk of credential theft.
– Implement Real-Time Anti-Malware Solutions: These tools can detect and block phishing attempts, providing an additional layer of security.
– Educate Employees: Organizations should train employees to identify suspicious domains and verify job opportunities through official channels.
– Enable Multi-Factor Authentication (MFA): MFA adds an extra layer of security, preventing unauthorized access even if credentials are compromised.
Indicators of Compromise
– id-v4[.]com: This domain has been taken down but was previously used in phishing campaigns.
– forms.google.ss-o[.]com: This is an active phishing domain impersonating Google Forms.
By remaining vigilant and implementing these protective measures, individuals and organizations can reduce the risk of falling victim to such sophisticated phishing campaigns.
