Cisco Talos has recently observed an increase in spam messages abusing a feature of quizzes created within Google Forms. In particular, spammers have discovered that they can create a new quiz in Google Forms, use the victim’s email address to respond to the quiz, and then abuse the “Release Scores” feature of the Google Form to deliver their spam to the victim. Because the spam messages emanate from Google itself, the messages have a good chance of landing in the victim’s inbox.
A histogram showing the volume of “Score released:” emails for the past two years.Cisco Talos examined a recent spam campaign in which the Subject headers all contained the text, “Score released:”. During our investigation, we quickly realized these messages were being generated through a feature of Google Forms’ quizzes. Google Forms abuse has been present in spam attacks for several years, though our investigation showed that this particular feature of Google Forms quizzes was not very heavily abused to send spam until relatively recently.
Google Forms’ quizzes
In Google Forms, when creating a new form, an author can choose to “Make this a quiz.” Choosing to release grades “Later, after manual review,” enforces the collection of email addresses in the quiz.
An example Google Forms quiz is configured to release grades after manual review.Elsewhere, under the settings for Responses, choosing “Responder input” allows a spammer to fill in their form using any victim’s email address.
An example form ..Support the originator by clicking the read the rest link below.
