Scammers have found another way to abuse a legitimate cloud service to deliver spam and phishing messages to people’s inboxes.
This particular campaign, however, takes it a step further, as the attackers also deploy a fake AI chatbot in an attempt to steal people’s cryptocurrency.
The tactics were described as paying “extraordinary attention to detail” by cybersecurity researchers from Cisco Talos, who recently observed scammers abusing Google Forms to carry out the spam campaign.
Spamming for Bitcoin
Here’s how it works: First, they create a new Forms file. They choose the “make this a quiz” option. Then, they tweak two key settings: Release grades later, after manual review (which forces the quiz to collect email addresses), and “Responder input” under Responses (this allows the attacker to fill the form using the victim’s email address).
Now, Forms generates a link to the document, which the attackers access, fill it (the answers are irrelevant), and press “Release scores”. This prompts Forms to send an email notification to the victim – a message that can be fully customized before being shipped out.
The contents of the message may vary, but the goal is always the same – to trick people into thinking that a year ago, they logged into a Bitcoin cloud mining service and forgot about it. Now, they “mined” more than 1.3 bitcoin, which equals roughly $48,000. To withdraw the cash, the victims are first approached by a fake AI chatbot that helps them exchange the cryptocurrency for fiat currency (USD, for example), and later demands a small “exchange fee” of roughly $64, which should be paid in bitcoin, to an address shared by the chatbot.
Obviously, there is no Bitcoin and the money sent this way is forever lost. The good news is that by the time Cisco Talos’ researchers discovered the campaign, no one paid anything.