Full Report
The form and quiz-building tool is a popular vector for social engineering and malware. Here’s how to stay safe.
Analysis Summary
# Tool/Technique: Abuse of Google Forms for Social Engineering and Malware Distribution
## Overview
Google Forms, a popular and widely trusted form and quiz-building tool, is being abused by threat actors as a low-cost, high-return vector for social engineering attacks, primarily phishing and credential harvesting, and occasionally for tricking users into installing malware. Its legitimacy and encryption often allow malicious links to bypass traditional email security filters.
## Technical Details
- Type: Technique (Abuse of legitimate cloud service)
- Platform: Web-based (Affects end-users across all platforms accessing the form)
- Capabilities: Creating convincing phishing interfaces, harvesting user input (credentials, financial data), redirecting users to malware sites, facilitating callback phishing.
- First Seen: Ongoing, as the specific abuse vector evolves.
## MITRE ATT&CK Mapping
This abuse leverages techniques across several categories:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (If the form link is sent via targeted email)
- T1566.002 - Spearphishing Link
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping (Indirectly, if credentials are stolen)
- **TA0009 - Collection**
- T1119 - Automated Collection (Gathering harvested data)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Using HTTP/S to host the malicious form)
## Functionality
### Core Capabilities
- **Social Engineering Platform:** Used to create convincing spoofs of legitimate login pages (banks, universities, social media) due to the inherent trust users place in the Google domain.
- **Credential Harvesting:** Directly captures usernames, passwords, and sensitive financial/personal information entered by victims into the form fields.
- **Malware Redirection:** Forms can contain links that redirect victims to external websites designed for covert malware installation.
- **Vishing Facilitation (Callback Phishing):** Forms include phone numbers, urging victims to call for urgent assistance (e.g., account blockage alerts), connecting them to voice phishing (vishing) operators.
### Advanced Features
- **Filter Evasion:** Exploits the trust accorded to legitimate Google infrastructure and utilizes **TLS encryption** and **dynamic URLs** to hinder inspection by security tools.
- **Quiz Spam:** Abuse of the quiz "release scores" feature to inject malicious links into the score reporting message sent to the target's email address.
## Indicators of Compromise
Since this is an abuse of a legitimate service, specific IOCs are highly dynamic and context-dependent.
- File Hashes: N/A (No specific malicious binaries analyzed here, only landing pages/forms)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Dynamic URLs generated by Google Forms (`forms[dot]gle[dot]com/_____`) leading to credential collection pages or malware download sites.
- Behavioral Indicators:
- Receiving unsolicited emails containing links to Google Forms requesting immediate login or verification.
- Forms impersonating trusted brands demanding sensitive data input or directing users to call an unfamiliar number.
- Users being instantly redirected after submitting a form.
## Associated Threat Actors
Threat actors leveraging high-profile, trusted platforms like Google Forms are often broad, encompassing various financially motivated groups and cybercriminals focused on high-volume phishing campaigns for easy returns. Specific actors mentioned contextually include those utilizing the **BazarCall** campaign structure.
## Detection Methods
- **Signature-based detection:** Less effective against the legitimate form links themselves, but effective against known malicious redirection destinations or malware payloads delivered after the form interaction.
- **Behavioral detection:** Monitoring for unusual user input submission patterns, rapid redirection from legitimate cloud services to suspicious external sites, and activity suggestive of vishing callbacks originating from form links.
- **YARA rules:** Not applicable for analyzing the form content structure itself, but applicable for any delivered malware payloads.
## Mitigation Strategies
- **Layered Security Software:** Employ comprehensive endpoint protection capable of analyzing dynamic link behavior and scanning after file downloads.
- **User Awareness & Skepticism:** Train users to be highly skeptical of unsolicited communications demanding urgent action via links or phone calls. Advise contacting entities separately through verified channels instead of using provided contact information.
- **MFA Enforcement:** Implement Multi-Factor Authentication (MFA) on all critical accounts (banking, email, university) to prevent successful account takeover even if passwords are stolen. Hardware keys provide the strongest protection.
- **Input Vigilance:** Adhere strictly to Google’s inherent warning: **"Never submit passwords through Google Forms."**
- **Email Security Enhancement:** Configure email security solutions to deeply inspect links originating from file-sharing or productivity platforms, checking for signs of impersonation or unusual forwarding chains.
## Related Tools/Techniques
- Use of Microsoft SharePoint/OneDrive links for phishing.
- Abuse of other trusted third-party services (e.g., Calendly, Dropbox) for initial access via social engineering.
- Traditional phishing websites built in-house.
- Vishing/Voice Phishing campaigns.