A new version of BazarCall, a phishing attack designed to take money from victims, has been observed, this time hijacking Google Forms to generate fake payment receipts in order to make malicious phishing attacks look more legitimate.
The attack gets its name from the way it manipulates victims to engage with the threat actor, sometimes by means of phone call.
The alert, raised by Abnormal Security, reveals the latest wave of BazarCall attacks after they first became popular in 2020.
Watch out for that strange receipt
The campaign begins with a phishing email that looks like a receipt for a payment or subscription. Abnormal Security says that supposed charges range from $49.99 to over $500 – pretty significant amounts that are designed to raise alarm bells for victims.
The group has been observed impersonating dozens of high-profile companies, including Netflix, Hulu, Disney+, McAfee, and Norton.
The sense of urgency pushed onto the victim then pressures them into calling a number displayed in the email to dispute the charge.
The attacker uses Google Forms to create a fake invoice, using details like invoice numbers, payment methods, and the product or service. They then enter the victim’s email address into one of the fields which prompts a receipt to be sent to the victim.
This way, the email comes from a google.com domain, helping to evade detection by improving the sense of legitimacy.
The goal is for the group to gain access to an organization’s assets by tricking the recipient into installing malware.
Abnormal Security says that legacy security tools like secure email gateways are no longer capable of keeping up with these more advanced attack methods. With it being 2023, it should come as no surprise that artificial intelligence is being suggested as the solution.
The company says that AI-native solutions would be able to use ML to identify this email as an attack. Clearly, more creative and novel attacks are demanding a revised approach to security as we know it today.
A Google spokesperson told TechRadar Pro in an email: "Workspace has numerous layers of defenses to keep users safe. We are aware of the recent phishing attacks using Forms, and while they appear to be isolated to a small number of users, we are working to improve detection."
They added that protecting users from malware and other malicious behavior is a top priority for the company, which has been using ML to detect and block phishing attacks.
More from TechRadar Pro
- Discord is switching to temporary links to stop malware
- Downloaded something dodgy? Here’s our roundup of the best firewalls
- Boost your cybersecurity with the best endpoint protection
