Last Wednesday (20), Proofpoint Threat Research, a cybersecurity company, revealed that it discovered a scheme in which attackers used the Google Forms to bypass security filters and obtain information for future scams.  

What criminals do is send an email to an employee in which the subject field is filled in by the name of some important company executive - scam known as Business Email Compromise (BEC), in which someone impersonates an important figure for confidential information.

E-mail is sent by a completely random address. Photo: Proofpoint / Reproduction

In the body of the message, cybercriminals, politely, ask for help with a “quick task”, as they claim to be on their way to a meeting, hence the urgency - and also the lack of time to resolve the issue.  

Form does not have any information. Photo: Proofpoint / Reproduction

If the employee does not pay attention to the sender and clicks on the present link, he / she is directed to a Google. Apparently, it is a common page, above suspicion. What the attacker asks is for the user to click on the options as, for him, the form appears damaged or does not work correctly.  

Although it sounds like a primitive scam, criminals can get an idea of ​​what possible victims are likely to click on suspicious links received via email. It is believed that this approach serves to select targets for some activity not yet determined.  

Although the social engineering, a technique that uses persuasion skills to obtain information, is present in several different attacks, is used differently when it comes to malware e Phishing for credential theft.  


In the first case, for example, the approach and attempt to implement the threat is made at the first contact. On the other hand, at least that's what the researchers believe in this case, the idea of ​​social engineering can be used in all stages of the coup, making it much more difficult to detect.  

E-mails used 

Until then, the researchers found that the e-mails used are very basic, but that they pass through the spam filters of several inboxes, precisely because the big trick is in the form - which is sent through a link so it cannot be detected . See the list of identified addresses: 

  • fgtytgyf @  
  • cxodom @
  • athapril418 @
  • ftghmog4 @  
  • mrmichaelsoma2 @
  • songofsolomon247 @
  • chrislome4561 @
  • directcontact35 @ 
  • gloria011peleaz @
  • chrischunge67 @

With the disclosure of this information, the researchers hope that more people can be notified of the scheme and, consequently, do not click on the suspicious links.

Source: Proofpoint