SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
BazarCall phishing scams employing Google Forms – report
Wed, 20th Dec 2023

Cyber security expert, Mike Britton, Chief Information Security Officer (CISO) at Abnormal Security, recently highlighted a complex phishing scam which utilises Google Forms to augment its appearance of validity. Termed as the BazarCall or BazaCall attack (also known as call-back phishing), this approach initially gained notoriety back in 2020 for its unconventional method of malware distribution.

These attacks usually commence with a phishing email masquerading as a payment notification or subscription confirmation from a familiar brand. Recipients discover the amount to be charged, typically within the range of $49.99 to $500 or more depending upon the subscription or service being impersonated. A phone number is included for recipients to potentially dispute the charges or cancel the subscription or service. This creates a false urgency for the recipient, coaxing them into calling the provided phone number.

The attacker, cleverly disguised as a customer service representative, offers to give instructions to the victim on stopping the supposed charge. However, the true aim of BazarCall attacks is to gain unauthorised access to an organisation's assets. As such, the attack trick the recipient into installing malware, thus exposing the victim's organisation to future attacks.

Indeed, BazarCall campaigns have incorporated impersonations of a dozen recognisable brands, such as Netflix, Hulu, Disney+, Masterclass, McAfee, Norton and GeekSquad. Recently, Abnormal Security encountered a new variant of a BazarCall attack which uses Google Forms in a bid to enhance the perceived authenticity of the initial malicious emails.

Establishing a Google Form, the attacker includes details about the bogus transaction, such as an invoice number and date, payment method, and information about the product or service purportedly purchased. The attacker then enables the response receipt option in the Settings tab. A completed form is then sent to the email address entered into the first field of the form.

Following this, the attacker sends the invitation to complete the form to themselves. Opening the Google Form, they enter the target's email address in the 'Your email' field and click 'Submit'. Because the attacker enabled the response receipt option, the target will receive a copy of the completed form, which the attacker has designed to look like a payment confirmation for Norton Antivirus software.

As the email is sent directly from Google Forms, the sender address has the appearance of a legitimate and trusted domain. Alongside this, the sender display name is Google Forms. Unfortunately, this not only boosts the appearance of legitimacy, but also enhances the chances of the message being successfully delivered.

However, accurately identifying these emails as potential threats proves challenging for legacy email security tools such as secure email gateways (SEGs). Among the chief reasons for this are the lack of clear indicators of compromise, like a malicious link or harmful attachment. Most links included in the email are hosted on, a reputable and trusted domain.

Sophisticated Artificial Intelligence (AI) has been employed to combat this tricky Cybersecurity threat. AI-native email security solutions utilise the latest machine learning capabilities to accurately identify this type of email as an attack. Using behavioural AI and content analysis, the platform is able to detect the impersonation of a brand and attempted phishing, flagging the email as malicious. With AI at its core, such an email security platform plans to halt these attacks before they reach end users.