Application security, Malware, Phishing, Vulnerability Management, Threat Management

Thousands of BEC lures use Google Forms in recon campaign

Google Cloud and Thales are joining forces to give organizations more control over their encryption keys – and sensitive data.  (Originally appeared on Flickr by brionv/CC BY 2.0)

Researchers say they have observed thousands of messages using Google Forms to target retail, telecom, healthcare, energy and manufacturing companies in an apparent reconnaissance campaign to launch future business email compromises (BECs).

The attackers used Google Forms to bypass email security content filters based on keywords, according to a blog released Wednesday by Proofpoint Threat Research. The researchers said the hybrid attack used Google Forms with social engineering attacks more commonly associated with BECs.

Through Google Forms, attackers compose and send emails from unique email addresses of c-level executives, to evade ingress and egress email filters, and made no attempt to use display-name spoofing. The specific emails are simple but convey a sense of urgency. They demand a "Quick Task" from the user in response to the sender who claims to be heading into a meeting or too busy to handle the task themselves. The actor politely asks the user if they “have a moment,” a common opener in Gift Card fraud.

The link in the email then leads the user to a default, untitled form hosted on  Google Forms. The attacker primarily seeks to elicit a reply from the victim under the pretext that the survey is faulty or not what they expected. As a secondary goal, the form likely serves as a sensor to simply see if anyone fills it out, thereby functioning as a reconnaissance technique to weed out users who may be susceptible to clicking a suspicious link found in an email.  
Given the focus on the c-suite, the Proofpoint researchers say it’s likely an email reconnaissance campaign to enable target selection for undetermined follow-on threat activity. The tone of urgency in the emails runs consistent with previous BEC actors, and therefore, Proofpoint wanted to make the industry aware of these attempts as an indication or warning to its customers and the general security community.   

While the threat actor’s motives are not fully apparent, he agreed with Proofpoint that they were likely conducting reconnaissance for future campaigns, said Austin Merritt, cyber threat intelligence analyst at Digital Shadows.

“Given that the phishing emails had significant grammatical errors, the email domain looked fraudulent, and the Google Forms survey was constructed poorly, this tactic in its current state would likely not be highly effective,” Merritt said. “However, leveraging this technique in future attacks could be useful if the conditions were right. For example, if a phishing email targeted a wide net of individuals with a spoofed email that appeared legitimate and used urgent language prompting a quick response, the chance of success would be much higher.”

The attack highlights that IT security defenses technology such as email filtering and firewalls are merely interesting challenges for hackers and phishers to overcome, according to Lucy Security CEO Colin Bastable. He said companies need a holistic defense centered around the hackers' targets: employees.

“By all means, deploy technical defenses, but they will never be enough,” Bastable said.

“Teach the staff by exposing them to simulated real-world attacks and they will be far more effective defenders than all the firewalls and barriers in 'IT-dom,'" he advised.  "Managers should also be taught to treat anything 'Google' with caution. There’s a reason why 97 percent of all breaches involve social engineering – it’s because most cybersecurity dollars are spent by CISOs on the 3 percent."

BEC security incidents are challenging because security teams have to provide evidence that a company account was indeed compromised and the incident was not just human error, explained Joseph Carson, chief security scientist and advisory CISO at Thycotic.

“With cybercriminals being really good at hiding their tracks, such evidence can sometimes be very difficult to gather,” Carson said. “As with all corporate culture today, it’s important that cyber awareness training is a top priority moving forward and always practice identity-proofing techniques to verify the source of the requests.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.