{“lastseen”:”2026-02-18T14:25:24″,”description”:”As part of our investigation into a job-themed phishing campaign, we came across several suspicious URLs that all looked like this:\\n\\n`https:\/\/forms.google.ss-o[.]com\/forms\/d\/e\/{unique_id}\/viewform?form=opportunitysec\\u0026promo=`\\n\\nThe subdomain `forms.google.ss-o[.]com` is a clear attempt to impersonate the legitimate forms.google.com. The \\”ss-o\\” is likely introduced to look like \u201csingle sign-on,\u201d an authentication method that allows users to securely log in to multiple, independent applications or websites using one single set of credentials (username and password).\\n\\nUnfortunately, when we tried to visit the URLs we were redirected to the local Google search website. This is a common phisher\u2019s tactic to prevent victims from sharing their personalized links with researchers or online analysis.\\n\\nAfter some digging, we found a file called `generation_form.php` on the same domain, which we believe the phishing crew used to create these links. The landing page for the campaign was: `https:\/\/forms.google.ss-o[.]com\/generation_form.php?form=opportunitysec`\\n\\nThe `generation_form.php` script does what the name implies: It creates a personalized URL for the person clicking that link.\\n\\nWith that knowledge in hand, we could check what the phish was all about. Our personalized link brought us to this website:\\n\\nFake Google Forms site\\n\\nThe greyed out \\”form\\” behind the prompt promises:\\n\\n * We’re Hiring! Customer Support Executive (International Process)\\n * Are you looking to kick-start or advance your career\u2026\\n * The fields in the form: Full Name, Email address, and an essay field \u201cPlease describe in detail why we should choose you\u201d\\n * Buttons: \u201cSubmit\u201d and \u201cClear form.\u201d\\n\\n\\n\\nThe whole web page emulates Google Forms, including logo images, color schemes, a notice about not \u201csubmitting passwords,\u201d and legal links. At the bottom, it even includes the typical Google Forms disclaimer (\u201cThis content is neither created nor endorsed by Google.\u201d) for authenticity.\\n\\nClicking the \u201cSign in\u201d button took us to `https:\/\/id-v4[.]com\/generation.php`, which has now been taken down. The domain id-v4.com has been used in several phishing campaigns for almost a year. In this case, it asked for Google account credentials.\\n\\nGiven the \u201cjob opportunity\u201d angle, we suspect links were distributed through targeted emails or LinkedIn messages.\\n\\n## How to stay safe\\n\\nLures that promise remote job opportunities are very common these days. Here are a few pointers to help keep you safe from targeted attacks like this:\\n\\n * Do not click on links in unsolicited job offers.\\n * Use a password manager, which would not have filled in your Google username and password on a fake website.\\n * Use an up to date, real-time anti-malware solution with a web protection component.\\n\\n\\n\\nPro tip: Malwarebytes Scam Guard identified this attack as a scam just by looking at the URL.\\n\\n## IOCs\\n\\nid-v4[.]com\\n\\nforms.google.ss-o[.]com\\n\\nBlocked by Malwarebytes\\n\\n* * *\\n\\n**We don ‘t just report on scams\u2014we help detect them**\\n\\nCybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we\u2019ll tell you if it’s a scam or legit. Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.”,”published”:”2026-02-18T12:22:22″,”modified”:”2026-02-18T12:22:22″,”type”:”malwarebytes”,”title”:”Job scam uses fake Google Forms site to harvest Google logins”,”source”:””,”references”:””,”id”:”MALWAREBYTES:1335B3D719E0A34DEC79C0CBFF0F266E”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/scams\/2026\/02\/job-scam-uses-fake-google-forms-site-to-harvest-google-logins”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-18T14:25:24″,”description”:”As part of our investigation into a job-themed phishing campaign, we came across several suspicious URLs that all looked like this:\\n\\n`https:\/\/forms.google.ss-o[.]com\/forms\/d\/e\/{unique_id}\/viewform?form=opportunitysec\\u0026promo=`\\n\\nThe subdomain `forms.google.ss-o[.]com` is a…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-41329","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n