Crooks leverage Google quiz messages as part of bitcoin scam

Cybercriminals have devised a creative way to attempt to scam money from people: They use a feature of Google Forms quizzes to generate spam messages, researchers found.

Abuse of Google Forms — part of the company’s free Workspace suite — has been tracked for several years, but the use of a specific feature within quizzes is a recent trend, according to the cybersecurity firm Cisco Talos, which analyzed the operation.

In particular, spammers have discovered a way to create a new quiz in Google Forms, use the victim’s email address to respond to it, and then exploit the feature that releases the score of the quiz to send malicious emails. Whether the questions in the quiz are answered does not matter.

The spam messages can be customized to include any text or URL. Because the emails technically originate from Google itself, they have a good chance of landing in the victim’s inbox, bypassing anti-spam protections, researchers said.

Last month, Google Forms quizzes were used in an elaborate cryptocurrency scam, Cisco Talos said.

In this campaign, hackers used the quiz score email to direct recipients to an external website claiming that they could claim more than 1.3 bitcoin (about $46,000) as a result of “automatic cloud Bitcoin mining.”

The web domain was registered in late October but saw a significant increase in the number of queries, researchers said.

The website and its sign-in form look legitimate, featuring a pre-filled username and password for the potential victim. Additionally, there's a group chat feature on the website where users are purportedly discussing cryptocurrency-related topics. However, researchers observed that the users commenting in this chat are fake, recycling the same comments over and over.

Anyone who tries to claim bitcoin from the website is redirected to what looks like a live chat with an agent named Sophia. She collects the victims’ personal data and instructs them to pay an “exchange fee” of $64 in bitcoin to claim the final sum. The collection of this small fee appears to be the main goal of the campaign, researchers said.

So far, according to Cisco Talos, it appears that nobody has fallen for the scam and actually paid the attackers, as the connected bitcoin wallet was empty as of early November.

However, the amount of setup work necessary to conduct a spam attack like this, combined with the extraordinary attention to detail put into the social engineering, demonstrates just how far cybercriminals will go when it comes to extorting victims for even a small amount of money, researchers said.