• Job scam uses fake Google Forms site to harvest Google logins As part of our investigation into a job-themed phishing campaign, we came across several suspicious URLs that all looked like this: https://forms.google.ss -o[.]com/forms/d/e/{unique_id}/viewform?form=opportunitysec&promo= The subdomainforms.google.ss-o[.]comis a clear attempt to impersonate the legitimate forms.google.com. • The “ss-o” is likely introduced to look like “single sign-on,” an authentication method that allows users to securely log in to multiple, independent applications or websites using one single set of credentials (username and password). • Unfortunately, when we tried to visit the URLs we were redirected to the local Google search website. • This is a common phisher’s tactic to prevent victims from sharing their personalized links with researchers or online analysis. • After some digging, we found a file calledgeneration_form.phpon the same domain, which we believe the phishing crew used to create these links. • The landing page for the campaign was:https://forms.google.ss-o[.]com/generation_form.php?form=opportunitysec Thegeneration_form.phpscript does what the name implies: It creates a personalized URL for the person clicking that link.

Article Summaries:

  • As part of our investigation into a job-themed phishing campaign, we came across several suspicious URLs that all looked like this: https://forms.google.ss -o[.]com/forms/d/e/{unique_id}/viewform?form=opportunitysec&promo= The subdomain forms.google.ss-o[.]com is a clear attempt to impersonate the legitimate forms.google.com. The “ss-o” is likely introduced to look like “single sign-on,” an authentication method that allows users to securely log in to multiple, independent applications or websites using one single set of credentials (username and password). Unfortunately, when we tried to visit

Sources: