With tax season in full flow, the world usually gets divided into two types of people - those that already finished filing their taxes months ago and are going about their usual business, and those that thrive on last-minute deadlines (I self-identify as the second type, though not with any great pride). Unfortunately, cybercriminals know how stressful tax season is, and pull out all the stops by launching email scams that crank the stress volume up to eleven.
In this blog, we’ll focus on a W2 tax email scam that used Typeform, a popular software that specializes in online surveys and form building, within its attack flow. The email attack aimed to harvest victims’ email account credentials.
Org mailboxes: ~1,000
Email security bypassed: Google Workspace email security
Techniques used: Social engineering, replicating existing workflows, exploiting free online software to create phishing pages, using security themes
A summary of the attack is presented below:
Fig: Summary of the W2 tax scam showing the attack flow
The email impersonated an automated file-sharing communication from OneDrive, informing victims that they had received a file. The email was sent from a Hotmail ID and was titled ‘RE: Home Loan’ followed by a reference number and the date, making it seem like the email was part of an ongoing conversation to lend it more legitimacy. It included links for the victims to go and access the file, with the name of the file - 2020_TaxReturn&W2.pdf - highlighted prominently in the email content.
A snapshot of the email is given below:
Fig: W2 tax scam email impersonating an automated OneDrive file-sharing communication
The Phishing Page
Clicking the email link takes victims to a page gated by Typeform, a popular online service specializing in surveys and forms. A blurred W2 document is shown in the background and victims are asked to enter their email account credentials before being granted access to the file.
Fig: Phishing page using Typeform
Entering fake email account information on this form throws up an error message that the password entered is invalid. We created a new email account and entered those credentials on the form, but the response was the same. Eventually, a message claiming ‘The document is secured’ is displayed on the screen alongside a statement that the user’s identity could not be verified.
Fig: Entering fake details throws up an error message on Typeform
It’s likely that the error messages could be a smokescreen for the attackers to gather as many account ID and password combinations as unsuspecting victims are willing to enter in an attempt to brute-force their way to gain access to the W2. In reality, there is no W2 pot of gold at the end of this malicious rainbow.
Fig: The document is ‘locked’ after providing fake account details
Summary of techniques used
This email attack employed a gamut of techniques to get past native Google Workspace email security filters and pass the eye tests of unsuspecting end users.
- Social engineering: The email title, content, and context aimed to induce a sense of fear and urgency in the victims. By using tax and deadline-related anxieties that beset the best of us, attackers hope that victims click before they think.
- Using security themes: The email includes a link that says ‘Learn about messages protected by Office 365’ that leads to a real Microsoft-hosted page with security information. Attackers often include such signifiers in emails to lull victims into a false sense of security (no pun intended).
- Replicating existing workflows: The email impersonates an automated file-sharing message from OneDrive. We get tons of such emails everyday informing us that someone has shared files with us, someone has replied to our message, someone has commented on a document, and so on. When we see emails that seem similar (at first glance) to known email workflows, our brains tend to employ System 1 thinking and take quick action.
- Using a Hotmail domain: The email was sent from a Hotmail account, allowing it to pass email authentication checks like DMARC, DKIM, and SPF. Attackers often send emails from newly created Gmail, Yahoo, and Hotmail IDs to circumvent any filters and blocklists in place that block known low reputation domains.
- Using Typeform to host phishing page: The phishing page in this attack was hosted on Typeform. Free online services like Typeform make our lives easier, but unfortunately also lower the bar for cybercriminals to launch successful phishing attacks. We have also observed attacks exploiting Google Firebase, Box, Webflow, and Google Forms in a similar manner.
Guidance and Recommendations
1. Augment native email security with additional controls
The email highlighted in this blog got past the native email security controls of Google Workspace. While Google Workspace provides good protection against spam and known malware, organizations should layer on other technologies for better protection coverage against targeted email attacks like spear phishing, business email compromise, or 0-day credential phishing. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2020, and should be a good starting point for your evaluation.
2. Watch out for social engineering cues
Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions. It’s much easier said than done, but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email.
3. Don’t assume that legitimate services equal a legitimate communication
This piece of advice is also difficult to enact in practice, given the crowded nature of our inboxes. However, try to be skeptical by default of any form that asks for your login credentials, even if the form is built using a legitimate service like Google or Typeform. These services are as easily available to cybercriminals as they are to the rest of us.
4. Follow MFA and password management best practices
Since all workplace accounts are so closely interlinked, sharing credentials to one of your accounts can prove to be very dangerous as cybercriminals send emails in your name to trick your customers, partners, acquaintances, and family members.
If you haven’t already, implement these hygiene best practices:
- Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
- Don’t use the same password on multiple sites/accounts.
- Use a password management software to store your account passwords.
- Avoid using passwords that tie into your publicly available information (date of birth, anniversary date etc.).
- Don’t repeat passwords across accounts or use generic passwords such as your birth date, ‘password123’, ‘YourName123’ etc.
For more email security threat research, news, and industry guidance, sign up for email updates from Armorblox below. If you’d like to learn more about how Armorblox integrates with Google Workspace to stop targeted email attacks, go here.