chat
expand_more

BazarCall Attack Leverages Google Forms to Increase Perceived Credibility

Explore the intricacies of this BazarCall phishing attack that uses a Google Form for heightened authenticity.
December 13, 2023

If a communication channel or business tool can be utilized for nefarious purposes, cybercriminals will find a way to exploit itā€”often through social engineering. And as businesses and individuals navigate an increasingly interconnected world, understanding the myriad ways modern attackers can manipulate their targets is crucial.

One particularly sophisticated attack strategy is known as BazarCall or BazaCall (also referred to as call-back phishing). This attack type gained notoriety in 2020 due to its unorthodox method of distributing malwareā€”i.e., manipulating the victims to interact with the attackers through a simple phone call.

In this article, we dissect an especially complex BazarCall attack that incorporated the use of Google Forms to increase the appearance of legitimacy.

About BazarCall Phishing Attacks

BazarCall/BazaCall attacks typically start with a phishing email designed to appear as a payment notification or subscription confirmation from a known brand. Within the email, recipients can find the amount to be chargedā€”generally between $49.99 to $500 or more, depending on the subscription or service being impersonated.

Also included is a phone number they can contact to dispute the charges or cancel the subscription or service. This scenario creates a false sense of urgency for the recipient, compelling them to call the listed phone number.

Bazar Call Attack Pay Pal Invoice E

Example of a traditional BazarCall/BazaCall attack

During the phone call, the attacker, disguised as customer support, offers to provide instructions to the target on how to stop the impending charge. But since the goal of BazarCall attacks is to gain unauthorized access to an organizationā€™s assets, what the bad actor is actually doing is tricking the recipient into installing malwareā€”exposing the victimā€™s organization to future attacks.

BazarCall campaigns have involved the impersonation of a dozen different recognizable brands, including streaming services like Netflix, Hulu, and Disney+, online learning platforms like Masterclass, and security subscriptions like McAfee, Norton, and GeekSquad.

Abnormal recently came across a new variant of a BazarCall attack that uses Google Forms in an attempt to elevate the perceived authenticity of the initial malicious emails.

What Makes This Attack Unique

First, the attacker creates a Google Form and adds details about the fake transaction, including an invoice number and date, method of payment, and information about the product or service that was purportedly purchased.

Bazar Call Attack Example Google Form E

Example of Google Form with details similar to those used in the attack

The second step is to enable the response receipt option on the Settings tab. When activated, this feature will send a copy of the completed form to the email address entered into the first field. This is a key element of the attack, and weā€™ll explain why later in the article.

Bazar Call Attack Google Forms Settings E

Next, the attacker sends the invitation to complete the form to themselves.

Bazar Call Attack Send Form Pop up E

When the invitation arrives, the attacker clicks the Fill Out Form button, which opens the Google Form.

Bazar Call Attack Google Forms Email Invitation E

Then, they enter the targetā€™s email address in the ā€œYour emailā€ field and click Submit. Because the attacker enabled the response receipt option, the target will receive a copy of the completed form, which the attacker has designed to look like a payment confirmation for Norton Antivirus software.

Bazar Call Attack Malicious Google Form E

Actual email sent by threat actors as part of BazarCall attack

Because the email is sent directly from Google Forms, the sender address is forms-receipts-noreply@google[.]com, and the sender display name is "Google Forms.ā€ Not only does this contribute to the appearance of legitimacy, it increases the chances of the message being successfully delivered as the email is from a legitimate and trusted domain.

Why This BazarCall Attack Is Difficult to Detect

For several reasons, accurately detecting this email as a potential threat proves challenging for legacy email security tools like secure email gateways (SEGs).

First, there are no clear indicators of compromise, such as a malicious link or harmful attachment. The only links included in the email are hosted on google[.]com, a reputable and trusted domain. Further, Google Forms is a widely used and legitimate service for creating surveys, quizzes, and forms. The emails used in BazarCall attacks originate from a trustworthy source and may appear benign, making it challenging for SEGs to distinguish them from legitimate forms.

Additionally, Google Forms often use dynamically generated URLs. The constantly changing nature of these URLs can evade traditional security measures that utilize static analysis and signature-based detection, which rely on known patterns to identify threats.

Finally, SEGs may struggle to detect malicious intent in emails containing Google Forms links, especially if the behavior appears consistent with normal user interactions with legitimate forms.

Preventing BazarCall Attacks with Behavioral AI

Unlike secure email gateways, AI-native email security solutions apply the latest machine learning capabilities to correctly identify this email as an attack. Using behavioral AI and content analysis, a modern platform detects the impersonation of a brand and attempted phishing and accurately flags the email as malicious. By not just focusing on the sender or the presence of a payload link, an AI-powered email security platform can stop this attack before it reaches end users.

To see how Abnormal can help your organization block modern threats, reduce spend, and prevent emerging attacks, schedule a demo.

Schedule a Demo
BazarCall Attack Leverages Google Forms to Increase Perceived Credibility

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Proofpoint Customer Story Blog 8
A Fortune 500 transportation and logistics leader blocked more than 6,700 attacks missed by Proofpoint and reclaimed 350 SOC hours per month by adding Abnormal to its security stack.
Read More
B Gartner MQ 2024 Announcement Blog
Abnormal Security was named a Leader in the 2024 Gartner Magic Quadrant for Email Security Platforms and positioned furthest for Completeness of Vision.
Read More
B Gift Card Scams Tricker to Spot Blog
Learn why gift card scams are becoming more difficult to identify, how cybercriminals evolve their tactics, and strategies to protect your organization.
Read More
B Offensive AI 12 16 24
Learn how AI is used in cybersecurity, what defensive AI vs. offensive AI means, and how to use defensive AI to combat offensive AI.
Read More
B Proofpoint Customer Story Blog 7
See how Abnormal's AI helped a Fortune 500 insurance provider detect 27,847 threats missed by Proofpoint and save 6,600+ hours in employee productivity.
Read More
B Cyberattack Forecast Emerging Threats Blog
Uncover the latest email threats and strategies to strengthen your cybersecurity and prepare for 2025.
Read More