Researchers now warn that attackers are collecting reconnaissance for future business email compromise attacks using Google Forms.
A threat player appears to have been sending 1,000s of emails to organisations, in what researchers have identified as a ‘reconnaissance campaign’ to find targets for a possible follow-up business-email-compromise (BEC) attack.
To date, researchers have observed 1,000s of messages being sent to companies since Dec. 2020, predominantly delivered to retail, telecommunications, healthcare, energy & manufacturing sectors. The campaign uses Google’s Forms survey tool too.
Ongoing Dialogue
This use of Google Forms by cyber-criminals is not new & is routinely seen in credential phishing campaigns to bypass email security content filters. But, in this attack, the use of Google Forms may also prompt an ongoing dialogue between the email recipient & the attacker – setting them up as a victim for a future BEC trap, researchers comment.
“This hybrid campaign combines the benefits of scale & legitimacy by leveraging Google Services with social engineering attacks, usually associated with BEC,” according to Proofpoint researchers in a Wed. analysis.
Quick Moment
The messages contain unique names of C-level executives from the target organisations, showing that the cyber-criminals have done their research in order to find victims.
These messages themselves are “simple but convey a sense of urgency,” explained researchers – they ask the victim if they have a “quick moment” to carry out a task, as the supposed sender is said to be heading into a meeting, or too busy to do the task themselves, & then point to a link in the email.
This link leads the victim to a default, untitled form hosted on Google Forms’ infrastructure. Google Forms is a survey administration software that is offered as part of Google’s Doc Editors suite. The form in this campaign is blank, & merely says “Untitled Form” with an “Untitled Question.”
E-mail Reply
Researchers think that the initial goal is to generate an email reply from the victim, to respond that the survey is broken or not what they expected. That can then start a furtherer dialogue between the victim & attacker, laying the foundation for the future BEC attack.
“As a secondary goal, the form likely serves as a sensor to simply see if anyone fills out their form, functioning as a reconnaissance technique to weed out users who may be susceptible to clicking a suspicious link found in an email,” said researchers.
Red Flags
Despite this trick, the emails themselves have several ‘red flags’ that may act as giveaways to a suspicious email recipient. This includes bad spelling & grammar, with 1 message saying: “Are your schedule flexible to run a task for me now, =m heading into a meeting now can’t take calls or text messages just e=ail me back.”
A further giveaway is the bad player’s email addresses used in this campaign, which sometimes appear to have no hint of a legitimate email at all ( e.g., fgtytgyg[@]gmail.com).
Keymashing
“We didn’t observe an established pattern across the spoofed emails; however, some of the addresses look like they were made with random keymashing while others incorporate common names/phrases,” Sherrod DeGrippo, Senior Director of Threat Research & Detection at Proofpoint outlined.
Researchers think that this is just the start of the campaign – they say, attackers may be collecting reconnaissance to identify targets for undetermined follow-on threat activity.
BEC Actors
“The tone of urgency in the emails is consistent with previous BEC actors, & therefore, we want to ensure security awareness of these attempts as an indication or warning to customers & the security community,” stated researchers.
Attackers have previously used Google services – including Google Forms – in various malicious ways. One phishing attack in Nov. used Google Forms as a landing page to collect victims’ credentials, with the forms masquerading as login pages from more than 25 different companies, brands and government agencies.
American Express
Another Nov. campaign used a Google Form & an American Express logo to try & get victims to enter their sensitive information. Also, in Nov., scammers leveraged a legitimate Google Drive collaboration feature to trick users into clicking on malicious links.
“While social engineering is pervasive throughout email-borne attacks, it is employed differently in malware & credential phishing than in BEC campaigns,” suggested Proofpoint researchers.
“In a malware campaign, social engineering is used in the initial email. Conversely, in BEC, social engineering is used throughout the lifecycle of the fraud. Although rare, we observe actors delivering malware after the exchange of benign messages.”
https://www.cybernewsgroup.co.uk/virtual-conference-january-2021/
