Cybercriminals are leveraging reputable cloud services to relay scam email messages to their victims while piggybacking on reputable cloud service to evade detection. Previously we reported a similar approach being used for sending phishing messages from the cloud and now we are observing a variety of Email scam messages like Nigerian 419 scams, inheritance scams, investment scams, and other unexpected money or unexpected winnings scams being routed to unwitting victims via the Google Forms service.
The Google Forms cloud software is a survey administration software that is part of the Google Docs Editor Suite. Google Forms enables users to create custom forms and send them via email to internal or external collaborators to collect information. The collected information is automatically entered into a spreadsheet.
We observed that these scam Email messages originated from Gmail addresses, and used the Google Forms theme. Analysis of the email headers, particularly the Message-ID structure, reveals that the email is sent using Google’s infrastructure (Message-ID: <*@google.com>), and not Gmail specifically (Message-ID: <*@mail.gmail.com). Several such scam messages targeting our customers were detected by our global spam sensors around mid-October 2020. Since then, the frequency of such scam email messages has increased. Stats from some of our spam sensors are shown here in Figure 1. Top trending “Subject” lines used by the scammers are shown in Figure 2. These scam messages used a variety of scam email themes, with one commonality amongst them i.e., a button to “Fill Out The Form” embedded at the end of the message body pointing to the actual form hosted on the Google Forms service.
Figure 2: Top trending subject lines are shown in this bar chart here. Notice the attention-grabbing themes including themes of Covid and use of WhatsApp/phone numbers to switch the scam to a voice call to make the scam more realistic
Unexpected money scam
One such scam email message is shown here in Figure 3. Note that in this case, the scammers registered a fake FedEx like email address on Gmail to carry out the scam. Also, note the Google Forms theme banner and button used in the message body. Another common attribute is that the scam message lures the victim to respond to a different email address, or a different person as a call to action.
Figure 3: Unexpected money scam routed through the Google Forms service. Note the scammer is luring the victim to reveal personal contact information. Also, note the use of a phone number and a separate email address to initiate one to one correspondence separately to scam the victim further.
This is a classic unexpected money scam where the victim is offered false hope of money under the guise of a rather convincing, seemingly legitimate story or scenario. Once the victim starts corresponding with the scammers, they collect his personal and financial information and often trick the victim into paying an upfront “transaction fee” or “bank charges” or “bribe” to receive the money. Once the victim pays the fee, the scammers disappear as their objective is achieved. These scams are also generally called advance fee scams or 419 scams. Some notable variants of these scams include the Nigerian 419 scams, Compensation/Re-imbursement scams and Inheritance scams. Some examples of these scams are shown here in Figure 4.
Nigerian 419 Scams
Another variation of the unexpected money scam is the Nigerian 419 scam. In these scams, the scammers lure victims by concocting stories or scenarios where the scammer poses as an influential person and requires the victim's help to retrieve or transfer funds or assets usually from Africa. As compensation, the scammers offer the victim a share or commission for their help. Willing victims are then asked for bank and personal details and asked to pay some fees to retrieve the compensation money. Some of these 419 scams circulated through Google Forms are shown here in Figure 5.
In inheritance scams, the scammers lure their victims by fabricating stories of access to an abandoned fortune of some deceased wealthy client. Here the victim is told that they are either the only living relative of the deceased client or share the same name as their legal next-of-kin, thus empowering them to claim the inheritance. Scammers then steal the victim’s personal and financial information and money under the guise of legal requirements and necessary fees or bribes. A couple of such inheritance scams circulated recently via Google Forms are illustrated here in Figure 6.
In these scams, the scammers often pose as lawyers or financial managers for wealthy investors or corporation and lure the victims by offering them opportunities to invest or help invest in the low-risk high return type of investments. The scammers will invent legitimate stories and even forge fake documents as evidence to convince the victims. Their goal is to steal personal and financial information (bank, credit cards, etc.). Such an investment scam email is illustrated here in Figure 7.
Dying widow scam
This scam is a type of Advance fee fraud. In the dying widow scam, the scammer lures the victim by inventing the story that the message is sent by a wealthy widow, having only a couple of weeks left to live due to an incurable disease and requires the victim’s help to donate her fortune for charity. Of course, there is no widow and no fortune. The scammer tricks the victim into sending them money in the form of “transfer fee” or “bank charges” or “bribe to pay a middle-man”. Dying widow scams routed through Google Forms are illustrated here in Figure 8.
They are another type of advance-fee scam also called meta-scams i.e. a scam message about scam messages. The scammers pose as law enforcement organizations offering compensation payments to scam victims. Victims are required to respond with some basic information and lured into sending money to the scammers under the guise of “transaction fee” or “bank charges” or “bribe to release the funds”. Once the victim pays the scammers to disappear. A compensation scam message routed through Google Forms is illustrated here in Figure 9.
Analysis of the Form
Clicking on the button in the email body leads to a very unusual Google form created by the scammers as shown in Figure 10. Note that the form is untitled and contains just a single question “Untitled Question” with a single radio button option “Option 1” followed by a submit button. Submitting this form after checking Option 1 does submit the form successfully but does not serve the scammer with any useful information other than “Option 1” was selected. For all the variety of scam messages that we analyzed as part of this campaign, we observed that this unusual form was consistently sent to all the victims regardless of the scam theme, sometimes with very minor modifications.
To understand the significance of this form and its association with the overall scam campaign, we decided to craft our own test scam message using the Google Form service. To create a form like this, all one requires is an active Gmail address and access to the Google Forms interface at https://docs.google.com/forms . We observed that clicking on a new form creates a default form that visually looks exactly as the one crafted by the scammers as shown in Figure 11 and circulated in the scam campaign. The form editor interface showing these default settings is illustrated here in Figure 12. This confirms that the form itself has no significance in this campaign and serves as a dummy, but the scammers are using the Google Forms service as a relay to send their scam emails to the victims.
To test this theory further, we crafted a lotto-prize scam message using the same default form interface and sent it to our test addresses as shown here in Figure 12.
The scam message received by the victim is shown here in Figure 13 and resembles the ones reported earlier and circulated in the scam campaign.
Although this Form is not really designed with any useful information, however, it still has the capability to log and report responses. We submitted this test form on behalf of the victim several times and noted that the responses “Option 1” were being logged in the Google Form dashboard shown below in Figure 14.
These responses can later be exported to a CSV file containing a timestamp.
Cybercriminals are always evolving their tools and tactics to deceive their victims. In this scam campaign, cybercriminals leveraged the capability of Google Forms to send scam email messages containing a link to a dummy form to their victims. While the dummy form has no value, however routing the scam message this way through the Google Form service might serve to evade IP and URL reputation layers in spam engines, as it is using a trusted infrastructure. We believe that in the future, the scammers might use the form to collect personal information from their victims.
We advise all customers and general email users to watch out for such scams. Always look at the "From address" field of the incoming email and ensure that it's not from an unknown or unsolicited account. Always be suspicious if somebody offers you unexpected money in the form of a donation, prize, inheritance, or an investment offer via email. Never send money or banking and credit card information to anyone you don’t trust via email. Also, avoid clicking on any buttons or links coming from such emails. Do the necessary due diligence before responding to any email and definitely do not respond to such scam messages.
Trustwave Secure Email Gateway successfully detects and blocks such scam messages using multi-layered detection technology.