Skip links

Google Forms abused in new COVID-19 phishing wave in the U.S.



COVID-19-themed phishing messages are once again spiking in the U.S. following a prolonged summer hiatus that appears to be over.

According to a report by email security company INKY shared with BleepingComputer before publication, the malspam volumes have doubled in September compared to the previous three months and are set to rise even more.

In the latest attacks, phishing emails impersonate  the U.S. Small Business Administration (SBA) and abuse Google Forms to host phishing pages that steal the personal details of business owners.

The SBA ran COVID-19 financial recovery programs in the past, which adds legitimacy to the campaign, especially for previous beneficiaries. However, the organization is currently not running any similar initiatives.

Business support grants

The lures used in the phishing emails are for pandemic financial support programs like the “Paycheck Protection Program”, “Revitalization Fund”, and “COVID Economic Injury Disaster Loan.”

The emails entice recipients to apply for the program by clicking on an embedded button that takes them to a Google Forms page.

The phishing email reaching business owners (INKY)

Abusing form builders is a common tactic for phishers, who take advantage of the free hosting, encrypted data traffic, and brand recognition and trustworthiness that come with them.

The phishing forms mimic the content SBA used in legitimate support programs, requesting the applicants to enter much of the same information.

First page of the phishing form (INKY)

This includes their Google account credentials, SSNs, EINs, State ID and driver’s license details, and bank account number.

Bottom of the phishing form (INKY)

Clicking on “Submit” siphons all data to the crooks while displaying a reassuring “Your response has been recorded” message.

How to spot fakes

As the northern hemisphere moves towards colder months, COVID-19 infections are expected to spike, and so is pandemic-themed phishing.

Business owners are advised to remain vigilant and treat all incoming messages offering financial support with suspicion, checking sender details, domains it links to, etc.

In this case, the phishing email content isn’t free of grammar errors that aren’t expected in genuine SBA communications.

At the same time, the capitalization of ‘GRANT’ throughout the email body is a clear sign of unprofessionalism, which is a big red flag.

Google Forms, which the threat actors abuse, contains a warning never to submit passwords on the platform, which is Google’s attempt to minimize the effects of the abuse they know takes place on its forms builder.

Finally, the SBA would not request that information be submitted on Google Forms but rather directly on their site.

Adblock test (Why?)