MALWAREBYTES reports a job-themed phishing campaign that uses a fake Google Forms site to harvest Google logins, with suspicious URLs such as https://forms.google[.]ss-o[.]com/forms/d/e/{unique_id}/viewform?form=opportunitysec&promo= and a corresponding generation_form.php on the same domain. The subdomain forms.google[.]ss-o[.]com is described as an impersonation of forms.google[.]com, and the phishing page imitates Google Forms, including logos, colour schemes, a disclaimer, and a not “submitting passwords” note.
According to Malwarebytes, clicking the Sign in button led to id-v4[.]com/generation[.]php, a domain that has featured in multiple phishing campaigns and asked for Google account credentials. The article notes the landing page for the campaign and the phishing link were designed to appear legitimate, with the personalized URL created by generation_form.php.
Malwarebytes identifies the attack as a scam and provides safety tips, such as not clicking unsolicited job offers and using a password manager, with IOCs including id-v4[.]com and forms.google[.]ss-o[.]com. This summary is according to Malwarebytes.