BazarCall Attack Leverages Google Forms to Increase Perceived Credibility

If a communication channel or business tool can be utilized for nefarious purposes, cybercriminals will find a way to exploit it—often through social engineering. And as businesses and individuals navigate an increasingly interconnected world, understanding the myriad ways modern attackers can manipulate their targets is crucial.

One particularly sophisticated attack strategy is known as BazarCall or BazaCall (also referred to as call-back phishing). This attack type gained notoriety in 2020 due to its unorthodox method of distributing malware—i.e., manipulating the victims to interact with the attackers through a simple phone call.

In this article, we dissect an especially complex BazarCall attack that incorporated the use of Google Forms to increase the appearance of legitimacy.

BazarCall/BazaCall attacks typically start with a phishing email designed to appear as a payment notification or subscription confirmation from a known brand. Within the email, recipients can find the amount to be charged—generally between $49.99 to $500 or more, depending on the subscription or service being impersonated.

Also included is a phone number they can contact to dispute the charges or cancel the subscription or service. This scenario creates a false sense of urgency for the recipient, compelling them to call the listed phone number.

During the phone call, the attacker, disguised as customer support, offers to provide instructions to the target on how to stop the impending charge. But since the goal of BazarCall attacks is to gain unauthorized access to an organization’s assets, what the bad actor is actually doing is tricking the recipient into installing malware—exposing the victim’s organization to future attacks.

BazarCall campaigns have involved the impersonation of a dozen different recognizable brands, including streaming services like Netflix, Hulu, and Disney+, online learning platforms like Masterclass, and security subscriptions like McAfee, Norton, and GeekSquad.

Abnormal recently came across a new variant of a BazarCall attack that uses Google Forms in an attempt to elevate the perceived authenticity of the initial malicious emails.

First, the attacker creates a Google Form and adds details about the fake transaction, including an invoice number and date, method of payment, and information about the product or service that was purportedly purchased.

The second step is to enable the response receipt option on the Settings tab. When activated, this feature will send a copy of the completed form to the email address entered into the first field. This is a key element of the attack, and we’ll explain why later in the article.

Next, the attacker sends the invitation to complete the form to themselves.

When the invitation arrives, the attacker clicks the Fill Out Form button, which opens the Google Form.

Then, they enter the target’s email address in the “Your email” field and click Submit. Because the attacker enabled the response receipt option, the target will receive a copy of the completed form, which the attacker has designed to look like a payment confirmation for Norton Antivirus software.

Because the email is sent directly from Google Forms, the sender address is forms-receipts-noreply@google[.]com, and the sender display name is "Google Forms.” Not only does this contribute to the appearance of legitimacy, it increases the chances of the message being successfully delivered as the email is from a legitimate and trusted domain.

For several reasons, accurately detecting this email as a potential threat proves challenging for legacy email security tools like secure email gateways (SEGs).

First, there are no clear indicators of compromise, such as a malicious link or harmful attachment. The only links included in the email are hosted on google[.]com, a reputable and trusted domain. Further, Google Forms is a widely used and legitimate service for creating surveys, quizzes, and forms. The emails used in BazarCall attacks originate from a trustworthy source and may appear benign, making it challenging for SEGs to distinguish them from legitimate forms.

Additionally, Google Forms often use dynamically generated URLs. The constantly changing nature of these URLs can evade traditional security measures that utilize static analysis and signature-based detection, which rely on known patterns to identify threats.

Finally, SEGs may struggle to detect malicious intent in emails containing Google Forms links, especially if the behavior appears consistent with normal user interactions with legitimate forms.

Unlike secure email gateways, AI-native email security solutions apply the latest machine learning capabilities to correctly identify this email as an attack. Using behavioral AI and content analysis, a modern platform detects the impersonation of a brand and attempted phishing and accurately flags the email as malicious. By not just focusing on the sender or the presence of a payload link, an AI-powered email security platform can stop this attack before it reaches end users.

To see how Abnormal can help your organization block modern threats, reduce spend, and prevent emerging attacks, schedule a demo.