A recent surge in BazarCall attacks employs Google Forms to create and dispatch payment receipts to targets, aiming to enhance the credibility of the phishing scheme.
Initially identified in 2021, BazarCall is a phishing tactic that involves sending emails that mimic payment notifications or subscription confirmations from reputable entities such as security software providers, computer support services, streaming platforms, and other widely recognised brands.
The emails assert that the recipient is being automatically enrolled in a remarkably costly subscription and advises them to cancel it if they wish to avoid charges.
Instead of featuring a hyperlink to a website, the email traditionally provided a phone number for a purported customer service representative associated with the brand. Recipients could contact this agent to dispute charges or terminate the subscription.
An imposter, posing as customer support, answers the calls and deceives victims into installing malware on their computers through a misleading process.
The malware, known as BazarLoader, functions as a tool designed to install additional payloads on the victim's system, aligning with its suggestive name.
Google forms abuse
An email security firm, has reported the discovery of a new iteration of the BazarCall attack that exploits Google Forms.
Google Forms, a free online tool, allows users to design custom forms and quizzes, integrate them on websites, and share them with others.
In this variant, the attacker crafts a Google Form containing fabricated transaction details, such as the invoice number, date, payment method, and additional information related to the enticing product or service.
They activate the "response receipt" feature, directing a copy of the completed form to the provided email address.
By utilising the target's email address, a Google server sends a replica of the completed form, resembling a payment confirmation, to the target.
Given that Google Forms is a legitimate service, phishing emails using it will not be flagged or blocked by email security tools, ensuring their delivery to the intended recipients.
The added legitimacy is derived from the email originating from a Google address ("noreply@google.com").
Enclosed within the invoice copy is the threat actor's phone number, urging recipients to call within 24 hours of receiving the email to address any disputes, introducing an element of urgency.
While the report doesn't delve into the subsequent stages of the attack, it's worth noting that BazarCall has been previously employed to gain initial access to corporate networks, often culminating in ransomware attacks.
Can this be prevented?
Cyber security companies play a pivotal role in addressing and mitigating the challenges posed by phishing attacks. These companies deploy advanced email security solutions that leverage cutting-edge technologies like artificial intelligence and machine learning to detect and thwart phishing attempts. By continuously updating their threat intelligence feeds, they stay ahead of evolving attack vectors. Cyber security firms provide comprehensive endpoint protection to prevent malware installation, conduct regular cybersecurity awareness training to educate employees, and implement robust incident response plans for swift action in case of a security breach. Through network security measures, advanced threat detection technologies, and tailored solutions, these companies contribute to strengthening an organisation's defences against a diverse range of cyber threats.
While no system is entirely immune, the multi-layered strategies employed by cyber security companies significantly enhance an organisation's resilience to cyber-attacks.
Want to find out more about how a cyber security company like Cybaverse can play a part in strengthening your cyber security posture? Take a look at our services on offer across our website.
