A new phishing campaign is exploiting job seekers by using fake Google Forms websites to harvest Google login credentials. Attackers are employing sophisticated domain impersonation techniques to trick unsuspecting victims into revealing sensitive information, posing a significant threat to online security for individuals seeking employment.
The operation centers around suspicious URLs that mimic legitimate Google Forms addresses. A prime example identified is forms.google.ss-o[.]com, which attempts to pass itself off as the authentic forms.google.com. The inclusion of “ss-o” is a deliberate choice, likely intended to resemble “single sign-on,” thereby adding an air of legitimacy to the fraudulent domain and increasing the likelihood of users falling victim.
Technical Infrastructure Behind the Attack
When individuals receive these phishing links, often delivered through targeted emails or messages on platforms like LinkedIn, they are directed to what appears to be a genuine Google Forms page. This fake form advertises a Customer Support Executive position, prompting applicants to provide their name, email address, and a justification for their suitability for the role. Malwarebytes analysts uncovered this campaign during an investigation into job-themed phishing attacks, shedding light on the extensive nature of this credential harvesting scheme.
To hinder analysis by security researchers, the attackers implemented redirect mechanisms. When suspicious URLs were accessed, victims were rerouted to local Google search pages, obscuring the true nature of the phishing infrastructure. This tactic makes it more challenging to trace the origin and full scope of the malicious activity.
The phishing crew utilized a file named generation_form.php on their domain to generate personalized URLs for each victim. This script creates unique links designed to track individual targets, further refining their attack strategy. The fake website meticulously replicates Google Forms’ design elements, including official logos, color schemes, and the standard disclaimer, “This content is neither created nor endorsed by Google.” However, when a victim clicks the “Sign in” button, they are redirected to id-v4[.]com/generation.php, a domain that has been associated with phishing campaigns for approximately a year.
Protecting Against Fake Google Forms Phishing
Security experts recommend several protective measures to mitigate the risk of falling victim to such phishing campaigns. It is crucial never to click on links within unsolicited job offers, regardless of how legitimate they may initially appear. Implementing a password manager can provide an additional layer of defense, as these tools typically do not autofill credentials on fraudulent websites, thereby alerting users to potential scams.
Additionally, employing real-time anti-malware solutions is essential for detecting and blocking phishing attempts before they can compromise user data. Organizations are advised to educate their employees on how to identify suspicious domains and verify job opportunities through official company channels. A critical security measure for all Google account users is enabling multi-factor authentication, which significantly enhances security by preventing unauthorized access even if login credentials are compromised.
Indicators of Compromise
The identified indicators of compromise include specific domains used in this phishing operation. The domain id-v4[.]com has been flagged and subsequently taken down. In contrast, the domain forms.google.ss-o[.]com remains an active phishing domain, indicating that the threat actors may still be utilizing it or similar variations.
The ongoing nature of these phishing attacks underscores the importance of continuous vigilance and the adoption of robust cybersecurity practices. As cybercriminals evolve their tactics, users must remain informed and proactive in safeguarding their online accounts and personal information, especially when engaging with online job opportunities.