As we all know, fraudsters are always looking for new ways to scam victims out of their hard earned money. Recently my honeypot inbox got flooded with e-mails claiming my account would be blocked.
The e-mails where e-mails coming from the official mail Google uses to send a copy of form respones to users ([email protected]).
The links to “my personal account” (making use of the Google open redirect functionality, more info). Then there are multiple redirects and sometimes a page where there is a fake Google captcha (that is just a clickable png, with the link to the next redirect)
or fake antivirus check (to mislead AV scanners or victims, I’m not really sure).
Most sites are hosted on servers in Russia, or hidden behind the Cloudflare proxy service. In the end the redirect chain opens a generic crypto scam, where they promise you huge amounts of money if you first pay them a small transaction fee or something similar.
In the end the they were just trying to bypass spam filters by using the “send copy of response” feature in the Google Forms software.
Google luckily acted really fast and took down the forms, and I suspect suspended accounts that were involved with this scam.
I feel like I should come to a conclusion, but the fact is that I have none. Stay safe out there and be a little bit more suspicious when you receive form responses in your inbox from froms you didn’t fill in.
If you have any questions, if I got something wrong, or if I forgot something: feel free to post a comment or contact me via http://jeroengui.be/contact