A recent phishing operation has emerged, targeting individuals seeking employment by using deceptive Google Forms websites to obtain login credentials. This scam employs advanced domain impersonation tactics to lure victims into divulging their Google account details.
Deceptive Techniques and Domain Impersonation
The attackers have developed a fraudulent domain that closely resembles the genuine Google Forms service. The subdomain in use, forms.google.ss-o[.]com, is crafted to mimic the legitimate forms.google.com address. The ‘ss-o’ segment is cleverly designed to simulate ‘single sign-on,’ a method that enables users to access multiple services with a single set of credentials, thereby adding an air of authenticity to the fake site.
Recipients of these phishing links, often delivered through targeted emails or LinkedIn messages, are directed to what initially appears to be a legitimate Google Forms page. The fake page promotes a job opening for a Customer Support Executive, prompting applicants to submit their name, email, and a justification for their suitability for the role.
Investigative Findings and Technical Setup
Malwarebytes analysts uncovered this campaign while exploring job-themed phishing attacks, shedding light on the scale of this credential-stealing operation. To hinder security researchers from examining their setup, the attackers employed redirect mechanisms that direct users to local Google search pages when suspicious URLs are accessed.
The phishing operators utilized a script named generation_form.php on their domain to produce custom URLs for each target. This mechanism helps track individual victims by generating specific links. The counterfeit website mirrors Google Forms’ design, including official logos, color schemes, and disclaimers, misleading users into thinking the site is genuine.
Preventive Measures and Security Recommendations
Security experts advise several strategies to counter such phishing threats. Avoid clicking on links in unsolicited job offers, regardless of their appearance. Utilizing password managers can offer protection, as these tools do not autofill credentials on fraudulent sites. Implementing real-time anti-malware solutions is crucial to detecting and blocking phishing attempts.
Organizations are encouraged to educate employees about identifying suspicious domains and verify job opportunities through official channels. Enabling multi-factor authentication on Google accounts provides an additional security layer, thwarting unauthorized access even if credentials are compromised.
In terms of indicators of compromise, the domain id-v4[.]com has been taken down, while forms.google.ss-o[.]com remains an active phishing threat. Staying informed and vigilant is essential in the ever-evolving landscape of cyber threats.
