In a recent evolution of BazarCall phishing attacks, threat actors have adopted a new tactic by exploiting Google Forms to enhance the credibility of their phishing emails. BazarCall, initially identified in 2021, typically involves sending emails that mimic payment notifications or subscription confirmations related to well-known brands. Instead of providing a website link, the email historically included a phone number for a purported customer service agent, who, when contacted, deceived victims into installing malware, known as BazarLoader, on their systems through deceptive procedures.
The latest variant of the BazarCall attack involves the utilization of Google Forms, a legitimate online tool for creating custom forms and quizzes. In this approach, attackers craft a Google Form containing fictitious transaction details, such as invoice numbers, dates, payment methods, and other product or service information. By enabling the “response receipt” feature, a copy of the completed form is sent to the target’s email address from Google’s servers, creating the illusion of a genuine payment confirmation. Since Google Forms is a trusted service, email security tools may not flag or block these phishing emails, ensuring successful delivery to the intended recipients. The email, originating from a Google address (“noreply@google.com”), gains an added layer of legitimacy.
The phishing email includes a threat actor’s phone number, instructing recipients to call within 24 hours to dispute any transactions, adding an element of urgency. While the report doesn’t delve into the later stages of the attack, BazarCall has been historically associated with gaining initial access to corporate networks, often leading to more severe cyber threats such as ransomware attacks. This new tactic highlights the adaptability of cybercriminals who continually modify their techniques to exploit trusted platforms and maximize the success of their phishing campaigns. Organizations and individuals should remain vigilant against such evolving threats and prioritize cybersecurity measures to mitigate risks associated with deceptive tactics like BazarCall.
