This sneaky malware hijacks Google Forms to demand money in nasty phishing scheme

Malware
(Image credit: solarseven / Shutterstock)

A new version of BazarCall, a phishing attack designed to take money from victims, has been observed, this time hijacking Google Forms to generate fake payment receipts in order to make malicious phishing attacks look more legitimate.

The attack gets its name from the way it manipulates victims to engage with the threat actor, sometimes by means of phone call.

The alert, raised by Abnormal Security, reveals the latest wave of BazarCall attacks after they first became popular in 2020.

Watch out for that strange receipt

The campaign begins with a phishing email that looks like a receipt for a payment or subscription. Abnormal Security says that supposed charges range from $49.99 to over $500 – pretty significant amounts that are designed to raise alarm bells for victims.

The group has been observed impersonating dozens of high-profile companies, including Netflix, Hulu, Disney+, McAfee, and Norton.

The sense of urgency pushed onto the victim then pressures them into calling a number displayed in the email to dispute the charge.

The attacker uses Google Forms to create a fake invoice, using details like invoice numbers, payment methods, and the product or service. They then enter the victim’s email address into one of the fields which prompts a receipt to be sent to the victim.

This way, the email comes from a google.com domain, helping to evade detection by improving the sense of legitimacy.

The goal is for the group to gain access to an organization’s assets by tricking the recipient into installing malware.

Abnormal Security says that legacy security tools like secure email gateways are no longer capable of keeping up with these more advanced attack methods. With it being 2023, it should come as no surprise that artificial intelligence is being suggested as the solution.

The company says that AI-native solutions would be able to use ML to identify this email as an attack. Clearly, more creative and novel attacks are demanding a revised approach to security as we know it today.

A Google spokesperson told TechRadar Pro in an email: "Workspace has numerous layers of defenses to keep users safe. We are aware of the recent phishing attacks using Forms, and while they appear to be isolated to a small number of users, we are working to improve detection."

They added that protecting users from malware and other malicious behavior is a top priority for the company, which has been using ML to detect and block phishing attacks.

More from TechRadar Pro

TOPICS
Craig Hale

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!

Read more
Fraude en ligne phishing
Google forced to step up phishing defenses following ‘most sophisticated attack’ it has ever seen
Someone checking their credit card details online.
Hackers use CAPTCHA scam in PDF files on Webflow CDN to get past security systems
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Fraude en ligne phishing
Google Search ads are being hacked to steal account info
An iPhone sitting on a wooden table
Millions at risk as malicious PDF files designed to steal your data are flooding SMS inboxes - how to stay safe
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Everything you need to know about phishing
Latest in Security
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Latest in News
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Monster Hunter Wilds
Monster Hunter Wilds Title Update 1 launches in early April, adding new monsters and some of the best-looking armor sets I need to add to my collection