The actors of the threat behind the BazaCall Call back phishing attacks have been observed using Google Forms to lend the scheme a veneer of credibility.
The method is an “attempt to increase the perceived authenticity of initial malicious emails,” cybersecurity firm Abnormal Security SAYS in a report published today.
BazaCall (aka BazarCall), which was first observed in 2020, refers to a series of phishing attacks in which email messages pretending to be legitimate subscription notifications are sent to targets, urging them to contact a support desk to dispute or cancel the plan, or risk withdrawal. charged anywhere between $50 to $500.
By inducing a false sense of urgency, the attacker convinces the target through a phone call to give them remote access capabilities using remote desktop software and ultimately establish the host’s continuity under the offer of assistance to cancel the assumed subscription.
Some of the popular services that are emulated are Netflix, Hulu, Disney+, Masterclass, McAfee, Norton, and GeekSquad.
Cook AI-Powered Threats with Zero Trust – Webinar for Security Professionals
Traditional security measures just won’t cut it in today’s world. It’s time for Zero Trust Security. Secure your data like never before.
In the latest attack variant found by Abnormal Security, a form created using Google Forms was used as a channel to share the details of the alleged subscription.
It should be noted that the form has response receipts enabled, which sends a copy of the response to the form respondent via email, so that the attacker can send an invitation to complete the form themselves and receive the responses .
“Because the attacker enabled the response receipt option, the target receives a copy of the completed form, designed by the attacker to look like a payment confirmation for Norton Antivirus software, ” said security researcher Mike Britton.
Using Google Forms is also smart as responses are sent from the address “forms-receipts-noreply@google(.)com,” which is a trusted domain and, therefore, has a higher chance of avoiding a secure email gateways, as evidenced by a recent Google Forms phishing campaign discovered by Cisco Talos last month.
“Also, Google Forms often uses dynamically generated URLs,” Britton explained. “The constantly changing nature of these URLs can evade traditional security measures that use static analysis and signature-based analysis, which rely on known patterns to detect threat.”
Threat Actor Targets Recruiters With Extra_egg Backdoor
The enterprise security firm attributed the wave of attacks to a “sophisticated, financially motivated threat actor” that it tracked as TA4557with a track record of abusing legitimate messaging services and offering fake jobs via email to ultimately provide the More_eggs backdoor.
“Specific to the attack chain that uses the new direct email technique, once the recipient responds to the first email, the actor is observed responding to a URL that links to a controlled website of the actor posing as a candidate’s resume,” Proofpoint SAYS.
“Alternatively, the actor was observed responding with a PDF or Word attachment containing instructions to visit the fake resume website.”
More_eggs is offered as malware-as-a-service, and is used by other prominent cybercriminal groups such as Cobalt Group (aka Cobalt Gang), Evilnum, and FIN6. Last year, eSentire linked the malware to two operators from Montreal and Bucharest.