Job seekers are being targeted by a new phishing campaign that uses phony Google Forms websites to steal login information. The campaign deceives victims into disclosing their Google account information by using advanced domain impersonation techniques. A fake domain that closely resembles the authentic Google Forms service has been registered by attackers.

The phishing operation focuses on dubious URLs that try to mimic the authentic forms.google.com address by using the subdomain forms.google.ss-o[.]com. The "ss-o" part seems to be intended to mimic "single sign-on," an authentication technique that enables users to access numerous apps using a single set of login credentials. This astute naming decision gives the phony domain more legitimacy.

These phishing links take victims to what looks to be a legitimate Google Forms page when they are sent to them via targeted emails or LinkedIn messages. Phishing Google Forms website (Source: Malwarebytes) The phony application asks candidates to submit their name, email address, and a statement of qualifications for a Customer Support Executive position. The scope of this credential harvesting operation was made clear by Malwarebytes analysts who discovered this campaign while looking into phishing attacks with a work theme.

To stop security researchers from examining their infrastructure, the attackers put redirect mechanisms in place. Victims were taken to local Google search pages when they clicked on dubious URLs. The Attack's Technical Infrastructure To generate unique URLs for every victim, the phishing team installed a file called generation_form.php on their domain.

This script creates distinct links that follow specific targets. Official logos, color schemes, and the standard disclaimer that reads, "This content is neither created nor endorsed by Google," are all replicated on the phony website. Victims are taken to id-v4[.

]com/generation.php, which has been utilized in phishing campaigns for almost a year, when they click the "Sign in" button. A number of precautions are advised by security professionals. No matter how genuine they seem, never click on links in unsolicited job offers. Because password managers won't automatically fill in login information on phony websites, using one offers protection.

Phishing attempts can be identified and prevented by putting real-time anti-malware solutions into practice. Employers should train staff members to spot dubious domains and confirm employment openings via official channels.

Adding multi-factor authentication to Google accounts increases security by preventing unwanted access even in the event that login credentials are stolen. Compromise Indicators Domain Status id-v4[. ]com Removed forms.google.ss-o[.

]com Active phishing domain, LinkedIn, and X to Receive More Instant Updates, Add ZeroOwl as a Preferred Source in Google.