A new phishing campaign in which threat actors are using a convincing fake version of Google Forms to steal Google account credentials.
Cybercriminals are once again exploiting a trusted brand Google to trick job seekers and steal their credentials.
The campaign’s malicious URLs all followed a similar structure:
https://forms.google.ss-o[.]com/forms/d/e/{unique_id}/viewform?form=opportunitysec&promo=
At first glance, these links appear to be legitimate Google Forms addresses. However, the domain forms.google.ss-o[.]com is fraudulent.
The inclusion of “ss-o” appears intentional, as it mimics “single sign-on” (SSO). This common authentication method allows users to log in to multiple platforms with one set of credentials.
Our latest investigation uncovered a phishing campaign that uses a fake version of Google Forms to harvest Google account logins under the guise of job applications.
Fake Google Forms Site
The technique is designed to make the domain look more convincing and trustworthy to unsuspecting victims.
When researchers attempted to visit these phishing URLs directly they were redirected to their local Google search page.
This is a known phishing evasion tactic: the URLs are customized to work only once, preventing security analysts from easily sharing or analyzing the link after it has been used.
Further examination of the same domain revealed a file named generation_form.php, located at:
https://forms.google.ss-o[.]com/generation_form.php?form=opportunitysec.
This script likely generates personalized phishing URLs for potential victims, ensuring each link looks unique and harder to trace.
Once a targeted user accesses their personalized URL, they are taken to a counterfeit Google Forms page designed with remarkable attention to detail.
The fake web page mimics Google’s official design with identical color schemes, logos, and “legal” disclaimers.
The form even contains the usual Google Forms message that warns users not to submit passwords an ironic touch meant to build false confidence. Behind this disguise, the form offers a seemingly legitimate job opportunity titled:
Applicants are asked to fill in fields for their full name, email address, and a short essay on why they should be selected for the position.
The “Sign in” button, however, redirects to a separate phishing domain: id-v4[.]com/generation.php, a site already known to host Google credential-stealing campaigns over the past year.
Once victims enter their credentials, threat actors gain immediate access to their Google accounts, which can later be abused for identity theft, financial fraud, or spreading malware through compromised inboxes.
The “job offer” lure strongly suggests the campaign is being distributed via targeted phishing emails or LinkedIn messages aimed at individuals seeking remote work.
How to Stay Safe
Phishing attacks that exploit career-related opportunities continue to rise. Users can protect themselves by following these safety practices:
- Avoid clicking links or attachments in unsolicited job offers or messages from unknown senders.
- Always verify the domain name before entering login credentials. Legitimate Google Forms URLs end with google.com, not look-alike variations.
- Use a password manager; it will recognize legitimate sites and refuse to auto-fill credentials on fake ones.
- Keep a real-time anti-malware solution with web protection active. Tools like Malwarebytes Premium and Malwarebytes Scam Guard can automatically flag dangerous links.
Job-themed phishing remains a lucrative vector for attackers because it preys on people’s ambitions and trust in well-known platforms like Google. Awareness and careful link inspection remain your best defense.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
