Fake Google Forms Job Scam Harvesting Credentials
Overview
A phishing campaign is impersonating Google Forms to steal Google account credentials using fake job opportunity lures. Victims are directed to URLs resembling legitimate Google Forms pages (e.g., forms.google.ss-o[.]com) that generate personalized links and present a convincing form requesting personal details. Clicking “Sign in” redirects users to a credential-harvesting page hosted on a known phishing domain.
Masquerading adversary-in-the-middle (AiTM) credential harvesters continue to evolve and remain an effective method of initial access and credential theft. Organisations should continue strengthening and updating email policies and filtering controls. User awareness remains crucial for reporting and detecting these phishing attacks early.
Changes in Behaviour
This campaign shows increased sophistication through personalized phishing URLs, realistic Google Forms cloning, and redirection tactics that hide the payload from researchers.
Attackers leverage job-themed lures and likely distribute links via targeted email or LinkedIn outreach, aligning with ongoing trends exploiting remote work opportunities.
This aligns with a broader trend of actors using social engineering through job offers or advertisements to exploit user trust via trusted platforms such as Google and LinkedIn. Similar techniques have been observed in campaigns conducted by groups such as Lazarus, which have orchestrated sophisticated social engineering operations via LinkedIn.
Campaign Behaviour
Threat actors use domain impersonation and dynamic link generation to tailor phishing pages to individual victims. The fake form mimics Google branding and legal disclaimers to build trust, while the sign-in process redirects victims to a credential harvesting site.
Redirecting suspicious visits to Google search pages helps prevent detection and analysis.
Indicators of Compromise (IOCs)
forms.google.ss-o[.]comid-v4[.]com(inactive)generation_form.phphosted on phishing infrastructure- Fake Google Forms job application pages requesting Google sign-in credentials
Note: Assume additional infrastructure and IOCs may be in use.
Recommendations to Organisations and Defenders
Budosec is a solo-owned blog and is not sponsored by any vendors. The advice provided is vendor-neutral. Exact remediation steps will depend on your tooling; however, the guidance below applies broadly.
Detection Opportunities
See my GitHub for detection and hunting queries you can use for this campaign
Initial indicators
- User reports suspicious email
- Clicks on shortened or suspicious URLs
- Navigation to domains with malicious or newly registered reputation
Further downstream indicators
- Anomalous sign-ins from unseen locations
- Impossible travel events
- Suspicious inbox forwarding rules created
- New MFA method or device added
Creating detections that correlate multiple events within a short timeframe is effective. Threat actors typically move quickly to establish persistence, expand access, and exfiltrate data.
Threat Hunting Guidance
Using DNSTwist, defenders can generate permutations of suspicious Google domains and perform a 90-day hunt across the environment (depending on log retention).
If using Microsoft Sentinel or similar platforms, run retrospective searches for these domains.
If IOCs are found:
- Remove malicious emails from user inboxes
- Block associated domains and infrastructure
If click-through activity is observed, follow up with the user immediately to determine whether credentials were entered.
If Credentials Were Entered
If a user entered credentials into a suspected phishing or AiTM page, treat the account as compromised immediately:
- Force a password reset
- Revoke all active sessions and refresh tokens to invalidate stolen cookies
- Require reauthentication and re-register MFA methods
- Remove unrecognized devices or security info changes
- Review recent sign-ins for unfamiliar IPs, impossible travel, or anonymous proxy use
- Audit and remove suspicious inbox rules, OAuth app consents, and forwarding settings
- Check for data access anomalies and unauthorized downloads
- Instruct the user to report unexpected MFA prompts
- Monitor closely for follow-up activity or lateral movement attempts
Source: Malwarebytes GitHub
Leave a Reply