Malicious cyber actors are exploiting the survey software to launch attacks against individuals and organisations, new research has revealed.
According to an analysis from cyber security company Sophos, both entry-level scammers and advanced cyber criminals are abusing Google Forms to undermine user security.
Sophos researchers have identified seven ways in which the program is being exploited:
- Convincing potential victims to enter their credentials into a Google Form laid out to resemble a login page;
- Launching spam-based phishing campaigns that target Microsoft online accounts, including Office365;
- Stealing payment data through faked ‘secure’ e-commerce pages;
- Using potentially unwanted applications (PUAs) to target Windows users;
- Using malicious Android applications to capture data without having to code a back-end website;
- Using malicious Windows applications leveraging web requests to Google Forms pages to ‘push’ stolen data from computers to a Google spreadsheet; and
- Employing PowerShell scripts to scrape Windows profiling data from a computer and submit it to a Google Forms form automatically.
“The extent to which cyber attackers abuse Google Forms came to light while we were researching how malware abuses encryption to conceal its activities and communications,” Sean Gallagher, senior threat researcher at Sophos, said.
“Google Forms offer cyber attackers an attractive proposition: the forms are easy to implement and trusted by both organisations and consumers; the traffic to and from the service is secured with Transport Layer Security (TLS) encryption so it can’t be easily inspected by defenders; and the whole set up essentially provides a free attack infrastructure.
“Our analysis shows that while most abuse of Google Forms by cyber attackers remains firmly in the low-skill phishing and fraud spam space, there are increasing signs that adversaries are taking advantage of the platform for more sophisticated attacks.”
Gallagher warned that while Google frequently shuts down accounts associated with a mass abuse of applications, some activity could “stay under the radar”.
“Business defenders need to be alert to this threat and apply caution whenever they see links to Google Forms, or any other legitimate services trying to obtain credentials, and they should not inherently trust TLS traffic to ‘known good’ domains such as docs.google.com,” he said.