BazaCall Phishing Scheme: The Deceptive Use of Google Forms

Recent reports from cybersecurity firm Abnormal Security have shed light on a sophisticated phishing strategy employed by the perpetrators of BazaCall attacks, utilizing Google Forms to enhance the credibility of their schemes.

BazaCall, also known as BazarCall, first came to light in late 2020. It involves phishing attacks where email recipients are deceived by fake subscription notices. These emails prompt users to contact a support desk to cancel or dispute a subscription plan, threatening charges ranging from $50 to $500 if they don't comply.

The attackers create a sense of urgency to trick the target into a phone conversation. During the call, they persuade the target to enable remote access through desktop software, ostensibly to assist in canceling the subscription, but instead, they establish control over the victim's system.

Popular services such as Netflix, Hulu, Disney+, Masterclass, McAfee, Norton, and GeekSquad are among those impersonated in these attacks.

In the latest iteration of this scam, Abnormal Security has observed the use of Google Forms. Attackers create a form to collect information about the fictitious subscription, with response receipts enabled. This feature sends a copy of the form's response to the respondent's email, allowing the attacker to personally send out the form and gather responses.

According to Mike Britton, a security researcher, the attackers use this technique to send what appears to be a payment confirmation for Norton Antivirus software to the target. The use of Google Forms is strategic, as responses are sent from a Google domain, which is generally trusted and may bypass secure email gateways. This method of using dynamically generated URLs in Google Forms is particularly effective in evading standard security measures, as they are based on static analysis and signature-based detection.

In a related development, Proofpoint, another cybersecurity firm, has uncovered a phishing campaign targeting recruiters. This campaign, attributed to the threat actor known as TA4557, uses direct emails leading to a JavaScript backdoor called More_eggs.

TA4557, known for its skill and financial motivation, exploits legitimate messaging services and offers fake job opportunities via email to deploy the More_eggs backdoor. The attack chain involves the recipient responding to an email, followed by the actor sending a link to a fake resume website or an attachment with instructions to visit the website.

More_eggs, a type of malware-as-a-service, is also used by other notable cybercriminal groups, including Cobalt Group, Evilnum, and FIN6. Earlier, eSentire linked this malware to operators based in Montreal and Bucharest.