According to researchers, fraudsters are abusing Google Forms via phishing campaigns that steal email logins. You can read more here: https://www.welivesecurity.com/en/scams/how-fraudsters-abuse-google-forms-spread-scams/
Here’s the TL:DR:
Malicious actors are always looking for ways to add legitimacy to scams and evade email security filters. Google Forms offers a great opportunity to do both. It is favored by cybercriminals because it is:
- Free, meaning threat actors can launch campaigns at scale with a potentially lucrative return on their investment
- Trusted by users, which increases the chances of victims believing that the Google Form they’re being sent or redirected to is legitimate
- A legitimate service, meaning that malicious Google Forms and links to malicious forms are often waved through by traditional email security tools
- Easy to use, which is good for users but also handy for cybercriminals – meaning they can launch convincing phishing campaigns with very little effort or prior knowledge of the tool
- Cybercriminals also take advantage of the fact that Google Forms communications are encrypted with TLS, which may make it harder for security tools to peer in and check for any malicious activity. Similarly, the solution often uses dynamic URLs, which may make it challenging for some email security filters to spot malicious forms.
Roger Grimes, data-driven defense evangelist at KnowBe4, commented:
“All public services like Google Forms, need to be better at defeating phishing attempts that use their product. I think most people can easily come up with a dozen signs that they can easily see in a message that indicates a scam. These services need to be doing more to fight cybercriminals using their products to conduct scams. Because they don’t, it causes trust issues and lessens the value of those products. Each of these services will tell you that they are already spending a bazillion dollars and lots of resources to fight scammers, but they simply aren’t doing enough. They are letting the revenue they are making by being bad at spotting cybercriminals get in the way of them better detecting and spotting scammers. It’s a business decision. One that isn’t being made correctly by many service providers and it’s unfortunate.”
This isn’t the first time that I’ve seen Google Forms used for nefarious purposes. And to Google’s credit, when I’ve reported a dodgy form, they’ve been quick to take it down. But it often pops up again in hours or days. I am not sure how Google addresses this, but they do need to address it.
Blue Shield of CA Leaked PHI of 4.7 Million Members to Google…. WTF??
Posted in Commentary with tags Hacked on April 23, 2025 by itnerdNews is out that Blue Shield of California leaked the health data of 4.7 million members to Google. And upon reading this, my jaw hit the ground:
Blue Shield said it used Google Analytics to track how its customers used its websites, but a misconfiguration had allowed for personal and health information to be collected as well, such as the search terms that patients used on its website to find healthcare providers.
The insurance giant said Google “may have used this data to conduct focused ad campaigns back to those individual members.”
Blue Shield said the collected data also included insurance plan names, types and group numbers, along with personal information such as patients’ city, zip code, gender and family size. Details of Blue Shield-assigned member account numbers, claim service dates and service providers, patient names and patients’ financial responsibility were also shared.
Per a legally required disclosure with the U.S. government’s health department, Blue Shield of California said it is notifying 4.7 million individuals affected by the breach. The breach is thought to affect the majority of its customers; Blue Shield had 4.5 million members as of 2022.
Ensar Seker, CISO at SOCRadar:
“In this case, the unintentional exposure of protected health information (PHI) from 4.7 million members to Google’s analytics and advertising platforms raises serious questions about how healthcare providers manage third-party tracking technologies.”
“This isn’t just a technical misstep. It’s a HIPAA compliance failure. PHI should never be sent to platforms like Google Ads or Analytics, especially without explicit patient consent and proper business associate agreements (BAAs) in place. When you consider the type of data potentially exposed (names, IP addresses, search terms, and in some cases sensitive health-related activity) the privacy implications are significant. Such data can be used to infer medical conditions, insurance status, or treatment history, and that creates a risk not just of identity theft, but of discrimination, stigma, and profiling.”
“What’s particularly troubling is the duration of exposure. nearly three years before it was identified and addressed. That suggests a systemic gap in data flow visibility, audit logging, and vendor oversight. Many healthcare organizations unknowingly introduce risk through website trackers, pixel tags, and marketing scripts. tools that are standard in e-commerce, but dangerously misapplied in regulated environments like healthcare.”
“At the end of the day, this incident wasn’t about a hacker breaking in, it was about data leaking out due to weak controls. And that’s often the more dangerous, and more preventable, type of breach.”
Paul Bischoff, Consumer Privacy Advocate at Comparitech:
“Victims should be on the lookout for insurance fraud. Check your hospital bills and prescriptions for any unfamiliar charges that could indicate someone else is using your insurance to get drugs or other care in your name.”
“Patients might have seen ads targeted at them based on confidential information in Blue Shield’s database.”
“The wildest part about this is that it happened over nearly three years. Luckily, it doesn’t seem like cybercriminals took advantage. The only unauthorized third party that saw the leaked data was Google, according to the disclosure. It doesn’t seem like Google shared identifiable info with any of its advertisers or publishers on Google Ads.”
This is firmly within the realm of WTF. I simply cannot believe that something like this happened as you would never happen. But in this case, it did. And normally I would say that there needs to be an investigation by the relevant government authorities and making sure that those who are responsible for this monumental screw up are punished. But given the times that the US are living in, I am going to guess that this won’t happen.
UPDATE: Jim Routh, Chief Trust Officer at Saviynt provided the following comments:
“The industry is likely to see similar types of data breaches going forward. Google has invested in and implemented highly sophisticated data models (Google Analytics) to harvest user online behavioral information (what products are consumed) along with individual attributes, which is then packaged for advertising platforms. The settings for Google Analytics and similar platforms need to be configured and reviewed by the healthcare insurance provider (Blue Shield of California) and other enterprises sharing consumer information.
“The good news is that this data did not include SSNs and other sensitive information, but the bad news is it was health-specific information for consumers that should not be shared. The notification of this incident comes several months after it was identified (February 11, 2025).”
Leave a comment »