UPDATED 09:56 EST / NOVEMBER 10 2023

SECURITY

New spam exploit vector abuses Google Forms’ quizzes

Yet another way for spammers to worm their way into systems was uncovered Thursday by the researchers at Cisco Systems Inc.’ Talos Intelligence blog.

This time, it’s an exploit that involves abusing the quiz results feature of Google Forms. It is both clever and dastardly — clever, because the exploit is subtle and complicated. It involves using a series of online forms, starting  with the quiz template.

Its creator needs to choose the option to release grades later when the quiz is first set up, as seen in the accompanying screenshot. This makes the form collect email addresses from the quiz respondents. As we all know by now, valid and current email addresses are like catnip to spammers.

There are several other settings that have to be answered precisely, as the Talos researchers outline, which isn’t important but all is carefully documented in their blog post describing the exploit.

What happens, though, is that Google will be generating emails from its own infrastructure, emails that can include whatever phishing message the spammer desires, including web links. The emails come from whatever Google account created the form. That means these messages will likely pass muster and avoid any spam blockers, at least until Google figures out a way to block them in the future, which seems likely now that this quiz method has been documented.

The one tell here is the use of the words “score released” in the subject line of the initial phishing messages.

The researchers came across this exploit thanks to excessive queries of a suspicious domain entry as part of the phishing process. Eventually, victims will be delivered to an elaborate scam website where the destination cryptocurrency scam happens, using additional forms, text chats and other mechanisms to make the whole process more believable. Victims are led to believe they can go through this process to collect their “free” bitcoin. Obviously, this is not going to happen.

All of the elaborate digital paths however, were ineffective, not quite operable or didn’t pass the smell test. Talos researchers found no actual bitcoins were collected in the spammer’s wallet as of last week, although they found plenty of network traffic that led them on the trail of the attackers.

“The amount of setup work necessary to conduct a spam attack such as this, combined with the extraordinary attention to detail put into the social engineering for the subsequent cryptocurrency scam, demonstrates just how far cybercriminals will go when it comes to separating victims from even a small amount of money,” Jaeson Schultz wrote in the blog post describing the scheme.

Image: Bing Image Creator

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU