In order to give the BazaCall call back phishing assaults some legitimacy, the threat actors behind them have been seen using Google Forms. The technique is an “attempt to elevate the perceived authenticity of the initial malicious emails,” according to a research released today by cybersecurity firm Abnormal Security.

BazaCall, also known as BazarCall, is a term used to describe a group of phishing attempts that began in late 2020. The targets of these attacks receive emails pretending to be official subscription notices, advising them to dispute or cancel the plan immediately or face charges ranging from $50 to $500.

The attacker creates a fake feeling of urgency to get the victim to agree to give them remote access capabilities through remote desktop software over the phone. Finally, the attacker establishes persistence on the host by pretending to be offering assistance in canceling the fictitious subscription.

Popular services including Netflix, Hulu, Disney+, Masterclass, McAfee, Norton, and GeekSquad are among those that are impersonated. The most recent attack type that Abnormal Security has identified uses a Google Forms-created form as a conduit to exchange information about the alleged subscription.

It is important to note that the form has response receipts enabled, which allows the attacker to invite the form respondent to complete the form and get the responses by emailing the form respondent a copy of the response.

“As the attacker enabled the response receipt option, the target will receive a copy of the completed form, which the attacker has designed to look like a payment confirmation for Norton Antivirus software,” said Mike Britton, a security researcher. Another clever use of Google Forms is that responses are sent from the trusted domain “forms-receipts-noreply@google[.]com,” increasing the likelihood of evading secure email gateways.

Furthermore, Britton added, “Google Forms frequently use dynamically generated URLs. The constantly changing nature of these URLs can evade traditional security measures that utilize static analysis and signature-based detection, which rely on known patterns to identify threats.”

Hackers Target Employers with More_Eggs Backdoor

The revelation coincides with Proofpoint’s revelation of a fresh phishing campaign that targets recruiters with direct emails and ends up redirecting them to the More_eggs JavaScript backdoor.

The enterprise security company identified TA4557 as the “skilled, financially motivated threat actor” responsible for the attack wave. TA4557 has a history of misusing official messaging platforms and sending out phony employment offers over email to eventually deploy the More_eggs backdoor.

“Specifically in the attack chain that uses the new direct email technique, once the recipient replies to the initial email, the actor was observed responding with a URL linking to an actor-controlled website posing as a candidate resume,” Proofpoint stated.

“Alternatively, the actor was observed replying with a PDF or Word attachment containing instructions to visit the fake resume website.”

FIN6, Evilnum, Cobalt Group (also known as Cobalt Gang), and other well-known cybercriminal organizations employ More_eggs, which is sold as malware-as-a-service. eSentire connected the malware to two operators in Montreal and Bucharest earlier this year.