As we all know, fraudsters are always looking for new ways to scam victims out of their hard earned money. Recently my honeypot inbox got flooded with e-mails claiming my account would be blocked.

gmail screenshot showing bombarding of google forms scams

The e-mails where e-mails coming from the official mail Google uses to send a copy of form respones to users ([email protected]).

google forms scam

The links to “my personal account” (making use of the Google open redirect functionality, more info). Then there are multiple redirects and sometimes a page where there is a fake Google captcha (that is just a clickable png, with the link to the next redirect)

fake google captcha

or fake antivirus check (to mislead AV scanners or victims, I’m not really sure).

waiting page before redirect

Most sites are hosted on servers in Russia, or hidden behind the Cloudflare proxy service. In the end the redirect chain opens a generic crypto scam, where they promise you huge amounts of money if you first pay them a small transaction fee or something similar.

crypto scam screenshot

In the end the they were just trying to bypass spam filters by using the “send copy of response” feature in the Google Forms software.

Google luckily acted really fast and took down the forms, and I suspect suspended accounts that were involved with this scam.

I feel like I should come to a conclusion, but the fact is that I have none. Stay safe out there and be a little bit more suspicious when you receive form responses in your inbox from froms you didn’t fill in.

If you have any questions, if I got something wrong, or if I forgot something: feel free to post a comment or contact me via http://jeroengui.be/contact