In a variation on the Google forms e-mail spam wave I wrote about in the beginning of the year, cybercriminals are making use of other platforms and online signup forms to circumvent spam filters and spread their malicious links.
These scammers use a multitude of strategies to make use of legitimate services, domains and webservers instead of their own infrastructure that would quickly get flagged as spam.
Some of them make use the fact that a substantial amount of websites don’t implement input validation on the “name” field, in the form where users sign up for the web application. Giving criminals the ultimate freedom to take over the content of the e-mail and add malicious urls. This with varying rates of succes…
Others make use of legitimate features in web applications that send out invites for groups, or reminder e-mails in project management software. Like this e-mail from Facebook (Meta):
Or this one from Atlassian:
Prevention
While achieving total prevention may be challenging without restricting features for normal users, there are measures to mitigate abuse in your web applications and domains. For the “Name” field, handling input validation for names is complex; consider blocking input containing URLs and domains initially. Implementing rate limits can deter cybercriminals from exploiting features for mass emails to potential victims.
Vigilance is key. Regularly monitor service usage, detect misuse, and promptly deploy countermeasures for the most effective strategy against abuse.
In my search for a more secure and private online presence I came across Incogni,
In today’s world, our personal information is scattered across the internet, making it vulnerable to cyber threats such as identity theft, cyberstalking, and phishing attacks. Cybercriminals can use this information to harm individuals and businesses, leading to financial loss and reputational damage. Sending out removal requests is often a time consuming task, especially because you don’t know which entities have data on you.
This is where Incogni comes in to help.
Incogni is a personal information removal service that contacts data brokers on your behalf and handles the removal process of your personal data.
The companies they contact include:
Marketing data brokers;
Recruitment data brokers;
Financial information data brokers;
Risk mitigation data brokers;
People search sites.
My experience was very positive. After filling in all my details and giving consent for sending out these requests they immediatly began contacting companies and were transparant about the progress made.
They currently even have a 50% off deal (affiliatelink):
In conclusion I would really recommend you check this service out! Or take a look at their blog posts that help you with doing this work for free yourself on:
Any opinions expressed in content on my blog are my own. Incogni doesn’t pay me for writing this article. However any purchases through the above links couldearn me a commission.
I believe in being transparent with my readers, and want to make sure you are aware of this arrangement. Please note that my affiliate partnerships do not impact my content in any way, and I will always provide honest and unbiased reviews and recommendations.
My goal is to provide you with useful and valuable content, and I appreciate your support in helping me achieve that goal. As always, if you have any questions or concerns, please don’t hesitate to reach out to me.
As we all know, fraudsters are always looking for new ways to scam victims out of their hard earned money. Recently my honeypot inbox got flooded with e-mails claiming my account would be blocked.
The e-mails where e-mails coming from the official mail Google uses to send a copy of form respones to users ([email protected]).
The links to “my personal account” (making use of the Google open redirect functionality, more info). Then there are multiple redirects and sometimes a page where there is a fake Google captcha (that is just a clickable png, with the link to the next redirect)
or fake antivirus check (to mislead AV scanners or victims, I’m not really sure).
Most sites are hosted on servers in Russia, or hidden behind the Cloudflare proxy service. In the end the redirect chain opens a generic crypto scam, where they promise you huge amounts of money if you first pay them a small transaction fee or something similar.
In the end the they were just trying to bypass spam filters by using the “send copy of response” feature in the Google Forms software.
Google luckily acted really fast and took down the forms, and I suspect suspended accounts that were involved with this scam.
I feel like I should come to a conclusion, but the fact is that I have none. Stay safe out there and be a little bit more suspicious when you receive form responses in your inbox from froms you didn’t fill in.
If you have any questions, if I got something wrong, or if I forgot something: feel free to post a comment or contact me via http://jeroengui.be/contact
Most of us receive multiple phishing e-mails and text messages and come across malicious sites from time to time.
But what can we do to protect others from getting scammed?
Taking down the sites can be quite a long process, but first we can do other things to prevent people from accessing the malicious url by accident.
Microsoft Smartscreen and Google Safebrowsing:
These anti-phising and anti-malware tools are build in on most browsers and can hereby help the most people. They essentially hold a database of al the malicious sites and give a warning before entering the site.
If you don’t only want a warning before people enter the site but want the site to be gone from the World Wide Web, you can report the domain to the Registrar and report the site to the hosting provider or proxy service.
If you don’t know what the above terms mean, I will give you a short walk through.
Registrar:
Most sites have a domain name like “google.com” or “jeroengui.be”. Sometimes the domains are obfuscated to make them look legit. If you don’t know how to find the domain from an url you can use this tool:
These are just some examples, just do a quick search on “whois search” and you find a lot more. Or, you can install whois on your Linux installation and use the “whois *domainname.com*” command.
When using the whois command you can find the registrar and also often an e-mail where you can report abuse of their services. Just e-mail them explaining that you encountered the phishing site that you are trying to report. If you don’t find an e-mail in the whois you can also search on the registrars site for an abuse form.
For the Linux users. Use the “host *domainname.com*” command followed by the whois command with as argument the first IP address that you found as output from the host command.
As with the registrar, you find an abuse e-mail or can look up the site of the hosting provider for an abuse e-mail or form.
Not every site is hosted directly by the company that you just reported to, sometimes they are just a proxy service like Cloudflare. Nonetheless do they need to take action and report the site to the actual host and stop providing the proxy service for the malicious site.
Final note
After taking all these steps and often waiting for some days, the site will be gone, or the malicious content deleted. Sometimes no action will be taken, but don’t worry about it, you did everything you could to make a safer place from the internet.
Thank you for taking a deep dive in the world of scam fighting with me. If all this seems a little bit much for you, you can still send any scam links, screenshots from sms and forward any suspicious e-mail to [email protected]. I automated part of the above process and when I find the time I will complete the other part manually.
If you have any questions, if I got something wrong, or if I forgot something: feel free to post a comment or send me an e-mail on [email protected]
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behaviour or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.