Google impersonators target small US firms with COVID grant lure

COVID-related phishing scams are enjoying an unwelcome resurgence – and once again, the miscreants behind them are using trusted brands like Google as the bait, according to fresh research by INKY.

The cybersecurity analyst detected nearly 16,000 phishing attempts in September – as opposed to just over 6,000 the previous month and a similar number in July.

“We observed a welcome but short-lived decline in pandemic-related phishing emails this summer, before spiking to an annual high in September,” said INKY.

In its latest report, the cyber-analyst highlighted one campaign that spoofs free web-based software Google Forms, adding a veneer of legitimacy to a fake offer of COVID-relief money targeting small businesses still reeling from the pandemic.

“Even with the [legitimate] aid that was given, many small businesses are struggling in the face of inflation, supply-chain issues, depleted savings, hiring difficulties, and more,” said INKY. “Sadly, as these small business owners push forward, navigating the rough seas ahead, some could soon find themselves ensnared in the traps of a new COVID-19 phishing scheme.”

Screenshot of bogus email used by COVID fraudsters
Despite poor grammar and other obvious 'tells' the crooks behind this scam presumably hoped to trick small businesses with this bogus email.

Con artists, not wordsmiths

One notable thing about the latest scam uncovered by INKY is that – like most of its kind – it does not depend on clean, convincing grammar to dupe its victims.

The analyst shared the bogus email sent out by the conmen, purporting to be from the Small Business Administration (SBA) in the US. Though regarded by INKY as a “passable” example of its kind, the fake message contains syntax that would make any high-school teacher cringe.

It reads: “The US Small Business Administration federal disaster grants for working capital to small businesses and family’s [sic] suffering substantial economic injury as a result of the Corona-virus [sic] is offering designated states COVID-19 [sic].”

This initial hook is followed up by a pushy, salesly call to action, urging victims repeatedly in upper-case letters to apply for “COVID-19 GRANT MONEY.”

What seemed more impressive in INKY’s eyes was the Google Forms document to which dupes are then redirected – designed to capture their sensitive data, including social security number, driver’s license details, and bank account information.

“Any small business owner who had previously applied for legitimate loans and grants could be easily fooled by the form itself,” said the analyst. “The top of the form appears to be a cut-and-paste of a genuine COVID-19 grant message, and the questions which follow are very similar to those the SBA asks.”

“All of this information can easily be sold on the dark web or be used to quickly drain your bank account,” said INKY, adding that the cybercriminals were even brazen enough to leave in features such as Google’s “report abuse” button on the form.

Nor did the scammers’ sloppiness end there, according to the analyst: “Because this cybercriminal used a legitimate Google Forms survey to harvest credentials, there is a line populated just under the ‘submit’ button that says, ‘Never submit passwords through Google Forms.’ It’s not a good lesson to learn the hard way.”

Top half of Google Form, an authentic page
The Google Forms document starts innocuously enough, using the standard disclaimer printed by the authentic company.

Why Google works for crooks

Using genuine Google document software did confer some benefits to the conmen, however. “Abusing Google Forms is a clever phishing tactic for several reasons,” said INKY. “It’s trusted by both consumers and businesses, [and] bad actors can use Google’s infrastructure to host phishing content and harvest data for free.”

Google Forms is also useful for evading detection because the tech giant’s monolithic authority means its domain won’t be flagged in most threat intelligence feeds, hampering infosecurity efforts to intercept a scam sent using the application. Moreover, its high-quality encryption means that defenders cannot easily inspect such documents even if they do notice them.

The facade of authenticity is completed by Google’s automated delivery confirmation, which sends the victim a genuine notification once they have submitted the completed form and thus delivered their sensitive data to the crooks behind the scam.

“Google Forms even helps the cybercriminals generate a final message, confirming their information was received – officially making them a victim of credential harvesting and brand impersonation,” said INKY.

The company adds that last year cybercrime involving “government impersonation” resulted in more than $142 million in losses. This year so far, more than 14,000 phishing emails that showed up on its radar featured links to “abused Google Forms pages.”

“Any portion of that could put a small business in ruins,” it said. “Imagine, working hard enough to pull your small business through an unprecedented global pandemic, only to have your company brought down by a phishing email.”

Bottom half of Google Form used to phish credentials
But the payload is never far away... subsequent fields in Google Forms document are used by cybercriminals to capture sensitive data that can then be sold on dark web forums to other crooks.

More from Cybernews:

Chinese tech firm's drone "dog of war"

Retailer hit with ransomware after leaving customer data exposed

We breached Russian satellite network, say pro-Ukraine partisans

Zuckerberg unveils Meta Quest Pro for $1,500

Piracy costs entertainment industry billions

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked