A new BazarCall phishing campaign is using Google Forms to send phony invoices, according to researchers at Abnormal Security.
“BazarCall/BazaCall attacks typically start with a phishing email designed to appear as a payment notification or subscription confirmation from a known brand,” Abnormal explains. “Within the email, recipients can find the amount to be charged—generally between $49.99 to $500 or more, depending on the subscription or service being impersonated. Also included is a phone number they can contact to dispute the charges or cancel the subscription or service. This scenario creates a false sense of urgency for the recipient, compelling them to call the listed phone number.”
When a target calls the number, a scammer will try to trick them into installing malware.
“BazarCall campaigns have involved the impersonation of a dozen different recognizable brands, including streaming services like Netflix, Hulu, and Disney+, online learning platforms like Masterclass, and security subscriptions like McAfee, Norton, and GeekSquad,” the researchers add.
In a recent campaign, the attackers crafted phony invoices in Google Forms and used the response receipt option to send an automated message to a targeted email address. The recipient will get what looks like an invoice for a subscription to Norton Antivirus for more than $340, along with a phone number to cancel the charge.
The use of a legitimate service Google Forms enables the attacks to slip past many technical defenses.
“First, there are no clear indicators of compromise, such as a malicious link or harmful attachment,” the researchers explain. “The only links included in the email are hosted on google[.]com, a reputable and trusted domain. Further, Google Forms is a widely used and legitimate service for creating surveys, quizzes, and forms. The emails used in BazarCall attacks originate from a trustworthy source and may appear benign, making it challenging for SEGs to distinguish them from legitimate forms. Additionally, Google Forms often use dynamically generated URLs. The constantly changing nature of these URLs can evade traditional security measures that utilize static analysis and signature-based detection, which rely on known patterns to identify threats.”
KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Abnormal Security has the story.