Cybercriminals are leveraging Google's infrastructure to craft deceptive emails that mimic official Google communications, aiming to steal users' Google account credentials. This sophisticated phishing attack was initially identified by a prominent figure in the blockchain community, highlighting a significant vulnerability in Google's systems.

Exploiting Google's Infrastructure

The attack begins with a seemingly legitimate security alert, allegedly from law enforcement, concerning a subpoena for information in the victim's Google account. The email directs users to a sites.google.com page, which is a replica of Google's official support portal. This tactic exploits the fact that anyone can create a site on Google Sites, making it appear trustworthy to unsuspecting users.

Technical Details of the Attack

The attackers utilize Google Sites to host phishing pages, taking advantage of the domain's perceived legitimacy. The emails are authenticated using DKIM (DomainKeys Identified Mail), which allows the email to retain a valid signature, even if replayed. This means that a previously legitimate DKIM-signed email can be resent without altering its authentication status.

  • Phishing Setup: A Gmail account is created to appear as if it is addressed to the victim.
  • OAuth Exploitation: An OAuth app is registered with a name matching the phishing link, triggering a genuine security alert from Google.
  • DKIM Signature: The alert retains a valid DKIM signature, embedding the phishing message in the app name.

Recognizing and Avoiding the Scam

To identify this scam, users should be wary of pages hosted on sites.google.com instead of legitimate Google domains like support.google.com or accounts.google.com. Additionally, scrutinizing the email header can reveal discrepancies in the sender's address, despite the DKIM signature.

Preventive Measures

  • Link Caution: Avoid clicking on links in unsolicited emails.
  • Email Verification: Check email headers for authenticity.
  • Independent Verification: Confirm the legitimacy of emails through other methods.
  • Account Security: Use unique login credentials for different services instead of relying on Google or Facebook logins.
The link has been copied!