Detecting scam emails is getting increasingly difficult as attackers use more and more sophisticated methods. A new report highlights a method which makes fake security alerts from Google and PayPal look extremely convincing.
It reinforces the need to apply a simple but effective safeguard anytime you receive what seems to be an important email requiring your immediate attention …
How do phishing attacks work?
A phishing attack is when someone sends you a fake email claiming to be from a company or organization, and including a link asking you to login to take some action. Very often the email will create a sense of urgency, for example claiming that your account has been compromised.
The link will take you to a webpage intended to look like the real thing, but which is used to collect your login credentials.
There are a number of steps companies like Apple and Google take to try to detect and block phishing attacks, as well as clues you can look for to identify many fakes. However, Bleeping Computer reports on a clever method being used to impersonate Google and PayPal.
A highly convincing attack method
A highly experienced developer and security professional received one of them, and did some digging.
Nick Johnson, the lead developer of the Ethereum Name Service (ENS), received a security alert that seemed to be from Google, informing him of a subpoena from a law enforcement authority asking for his Google Account content.
Almost everything looked legitimate and Google even placed it with other legitimate security alerts [and] the message was signed and delivered by Google.
What the attacker had done was create the fake login page on sites․google․com, a web hosting service anyone can use. They also used a trick to get Google to send them a real email, then forwarded it with the scam content.
This meant it appeared to have passed the standard security checks intended to identify this type of scam.
The fraudulent message appeared to come from “[email protected]” and passed the DomainKeys Identified Mail (DKIM) authentication method but the real sender was different […]
“Since Google generated the [original] email, it’s signed with a valid DKIM key and passes all the checks,” Johnson says, adding that the last step was to forward the security alert to victims.
The weakness in Google’s systems is that DKIM checks only the message and the headers, without the envelope. Thus, the fake email passes signature validation and appears legitimate in the recipient’s inbox.
Furthermore, by naming the fraudulent address me@, Gmail will show the message as if it was delivered to the victim’s email address.
The login page is also an exact copy of the real thing. Google says it is working on a fix to prevent this method being used in future, but it remains possible for now.
A similar method has been used with PayPal, in which a gift feature was used to have the phishing email appear to originate from a genuine PayPal address.
How to protect yourself
The most important step you can take is to never click on links received in email, even if it appears genuine. Instead, use your own bookmarks or type a known genuine URL.
Be especially wary of emails which imply urgency. Common examples include:
- Claiming that your account has been compromised
- Sending you an invoice for a fake transaction, and a link to cancel it
- Claiming you owe money for tax, road tolls, etc, and need to pay immediately
In the Google case, it claims law enforcement has served them with a subpoena requiring access to your account content, and inviting you to object.
Highlighted accessories
Image: 9to5Mac collage of screengrab from Nick Johnson on background by Mathias Reding on Unsplash
FTC: We use income earning auto affiliate links. More.
