Yet another way for spammers to worm their way into systems was uncovered Thursday by the researchers at Cisco Systems Inc.’ Talos Intelligence blog.

This time, it’s an exploit that involves abusing the quiz results feature of Google Forms. It is both clever and dastardly — clever, because the exploit is subtle and complicated. It involves using a series of online forms, starting  with the quiz template.

Its creator needs to choose the option to release grades later when the quiz is first set up, as seen in the accompanying screenshot. This makes the form collect email addresses from the quiz respondents. As we all know by now, valid and current email addresses are like catnip to spammers.

There are several other settings that have to be answered precisely, as the Talos researchers outline, which isn’t important but all is carefully documented in their blog post describing the exploit.

What happens, though, is that Google will be generating emails from its own infrastructure, emails that can include whatever phishing message the spammer desires, including web links. The emails come from whatever Google account created the form. That means these messages will likely pass muster and avoid any spam blockers, at least until Google figures out a way to block them in the future, which seems likely now that this quiz method has been documented.

The one tell here is the use of the words “score released” in the subject line of the initial phishing messages.

The researchers came across this exploit thanks to excessive queries of a suspicious domain entry as part of the phishing process. Eventually, victims will be delivered to an elaborate scam website where the destination cryptocurrency scam happens, using additional forms, text chats and other mechanisms to make the whole process more believable. Victims are led to believe they can go through this process to collect their “free” bitcoin. Obviously, this is not going to happen.

All of the elaborate digital paths however, were ineffective, not quite operable or didn’t pass the smell test. Talos researchers found no actual bitcoins were collected in the spammer’s wallet as of last week, although they found plenty of network traffic that led them on the trail of the attackers.

“The amount of setup work necessary to conduct a spam attack such as this, combined with the extraordinary attention to detail put into the social engineering for the subsequent cryptocurrency scam, demonstrates just how far cybercriminals will go when it comes to separating victims from even a small amount of money,” Jaeson Schultz wrote in the blog post describing the scheme.

Image: Bing Image Creator