The threat actors behind the BazaCall call back phishing attacks have been observed leveraging Google Forms to lend the scheme a veneer of credibility.
The method is an "attempt to elevate the perceived authenticity of the initial malicious emails," cybersecurity firm Abnormal Security said in a report published today.
BazaCall (aka BazarCall), which was first observed in late 2020, refers to a series of phishing attacks in which email messages impersonating legitimate subscription notices are sent to targets, urging them to contact a support desk to dispute or cancel the plan, or risk getting charged anywhere between $50 to $500.
By inducing a false sense of urgency, the attacker convinces the target over a phone call to grant them remote access capabilities using remote desktop software and ultimately establish persistence on the host under the guise of offering help to cancel the supposed subscription.
Some of the popular services that are impersonated include Netflix, Hulu, Disney+, Masterclass, McAfee, Norton, and GeekSquad.
In the latest attack variant detected by Abnormal Security, a form created using Google Forms is used as a conduit to share details of the purported subscription.
It's worth noting that the form has its response receipts enabled, which sends a copy of the response to the form respondent by email, so that the attacker can send an invitation to complete the form themselves and receive the responses.
"Because the attacker enabled the response receipt option, the target will receive a copy of the completed form, which the attacker has designed to look like a payment confirmation for Norton Antivirus software," security researcher Mike Britton said.
The use of Google Forms is also clever in that the responses are sent from the address "forms-receipts-noreply@google[.]com," which is a trusted domain and, therefore, have a higher chance of bypassing secure email gateways, as evidenced by a recent Google Forms phishing campaign uncovered by Cisco Talos last month.
"Additionally, Google Forms often use dynamically generated URLs," Britton explained. "The constantly changing nature of these URLs can evade traditional security measures that utilize static analysis and signature-based detection, which rely on known patterns to identify threats."
Over the past year, a Conti splinter group and extortion crew called Luna Moth (aka Silent Ransom Group) has adopted call back phishing as an initial access pathway, installing system management tools on victims' endpoints and using it to deploy other tools for data exfiltration.
Threat Actor Targets Recruiters With More_eggs Backdoor
The disclosure arrives as Proofpoint revealed a new phishing campaign that's targeting recruiters with direct emails that ultimately lead to a JavaScript backdoor known as More_eggs.
The enterprise security firm attributed the attack wave to a "skilled, financially motivated threat actor" it tracks as TA4557, which has a track record of abusing legitimate messaging services and offering fake jobs via email to ultimately deliver the More_eggs backdoor.
"Specifically in the attack chain that uses the new direct email technique, once the recipient replies to the initial email, the actor was observed responding with a URL linking to an actor-controlled website posing as a candidate resume," Proofpoint said.
"Alternatively, the actor was observed replying with a PDF or Word attachment containing instructions to visit the fake resume website."
More_eggs is offered as malware-as-a-service, and is used by other prominent cybercriminal groups like Cobalt Group (aka Cobalt Gang), Evilnum, and FIN6. Earlier this year, eSentire linked the malware to two operators from Montreal and Bucharest.
