Brand New BazarCall Phishing Campaign Abuses Google Forms

BazarCall Phishing CampaignA new BazarCall phishing campaign is using Google Forms to send phony invoices, according to researchers at Abnormal Security.

“BazarCall/BazaCall attacks typically start with a phishing email designed to appear as a payment notification or subscription confirmation from a known brand,” Abnormal explains. “Within the email, recipients can find the amount to be charged—generally between $49.99 to $500 or more, depending on the subscription or service being impersonated. Also included is a phone number they can contact to dispute the charges or cancel the subscription or service. This scenario creates a false sense of urgency for the recipient, compelling them to call the listed phone number.”

When a target calls the number, a scammer will try to trick them into installing malware.

“BazarCall campaigns have involved the impersonation of a dozen different recognizable brands, including streaming services like Netflix, Hulu, and Disney+, online learning platforms like Masterclass, and security subscriptions like McAfee, Norton, and GeekSquad,” the researchers add.

In a recent campaign, the attackers crafted phony invoices in Google Forms and used the response receipt option to send an automated message to a targeted email address. The recipient will get what looks like an invoice for a subscription to Norton Antivirus for more than $340, along with a phone number to cancel the charge.

The use of a legitimate service Google Forms enables the attacks to slip past many technical defenses.

“First, there are no clear indicators of compromise, such as a malicious link or harmful attachment,” the researchers explain. “The only links included in the email are hosted on google[.]com, a reputable and trusted domain. Further, Google Forms is a widely used and legitimate service for creating surveys, quizzes, and forms. The emails used in BazarCall attacks originate from a trustworthy source and may appear benign, making it challenging for SEGs to distinguish them from legitimate forms. Additionally, Google Forms often use dynamically generated URLs. The constantly changing nature of these URLs can evade traditional security measures that utilize static analysis and signature-based detection, which rely on known patterns to identify threats.”

KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Abnormal Security has the story.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews