Cisco Talos recently discovered a substantial increase in spam messages sent via a specific feature within Google Forms quizzes, indicating a significant shift in cybercriminal techniques.
This new practice involves spammers misusing Google Forms’ “Release Scores” functionality, opening up a new channel for the dissemination of false messages.
The campaign’s distinctive twist is the exploitation of legal Google Forms functionality, which makes spam messages look to originate from Google itself, increasing the odds of arriving in victims’ inboxes.
The revealed spam campaign, characterized by Subject headers that include “Score released” demonstrates a previously untapped feature of Google Forms quizzes.
The attackers use this feature by generating quizzes, using victims’ email addresses, and then modifying the “Release Scores” feature to tailor and disseminate their false messages.
Victims in a recent case investigated by Cisco Talos got emails with the subject “Score released:”. When victims clicked on these emails, they were driven to a phony website, go-procoinwhu[.]top, via a painstakingly created false-form answer.
This website serves as the major point for an extensive cryptocurrency fraud in which victims allegedly possess over 1.3 Bitcoin gained through “automatic cloud Bitcoin mining.”
The scam is carried out in phases, beginning with a bogus login process on a false website. The site, which is intended to look real, contains features such as a group chat where people ostensibly debate cryptocurrency-related issues.
A closer inspection, however, finds repetitive remarks, indicating a lack of genuine user activity.
As the scam progresses, victims are routed to a “live” chat with an agent named “Sophia.” The chat leads to a page that requests personal information such as the victim’s name, email address, and desired mode of cashout.
Following the filing of the form, victims are requested to pay an “exchange fee” of 0.25%, which amounts to $64, in order to retrieve their alleged gains.
Victims are routed to a payment form, complete with a QR code for the scammers’ Bitcoin wallet, demonstrating the sophistication of this scam.
Fortunately, no victims had fallen victim to the ruse as of November 6, 2023, as the related Bitcoin wallet was discovered to be empty.
This complex spam campaign serves as a sobering reminder of the lengths to which fraudsters would go to rob victims of even minor sums of money. Users should exhibit care and skepticism when seeing intriguing offers online.
