Gmail users have been warned about a highly convincing scam email thatappears to come from Google themselves.
The email seems to come from [email protected], which is the address that real security updates come from.
It links to a webpage hosted by Google, too, which is another convincing sign.
But the website was not made by them; it was made by scammers trying to trick you.
The email claims that ‘a subpoena was served on Google LLC requiring us to produce a copy of your Google Account content’.
It links to a sites.google.com domain designed to look like Google’s genuine support page.
However, the real support webpage is on accounts.google.com, while the ‘sites’ domain is one that anyone can build a free webpage on.
Ordinary users are unlikely to know or notice this, however, and could inadvertently grant scammers permissions that could allow them access, or target you with malware.
Security software firm Kaspersky said that there are other clues, too.
If you look closer at the email details, the to and mailed-by fields contain a jumble of letters of emails which have nothing to do with Google, showing me[@]googl-mail-smtp-out-198-142-125-38-prod[.]net and
fwd-04-1.fwd.privateemail[.]com.
The scam was first revealed by tech developer Nick Johnson.
How could they make it so convincing?
The scammers used Google OAuth technology, which is what you see when you use your Google details to sign into a different app.
Those who fell victim to the scam approved the permissions thinking they were giving Google themselves permission.
It is not clear exactly what the scammers hoped to achieve by this, but could involve data theft or infecting the victim with malware.
Kapersky said that when an OAuth app is registered, ‘the web application administrator can manually enter completely arbitrary text in the App
Name field – this is what the criminals apparently took advantage of.’
The mechanism that attackers used to do this has now been shut down, which will prevent this method of attack from working in future.
A Google spokesperson said: ‘We’re aware of this class of targeted attack from this threat actor and have rolled out protections to shut down this avenue for abuse.
‘In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns.’
They recently issued guidance on spotting scams, saying they will not ask for any of your account credentials, including your password, one-time passwords, confirm push notifications, and will not call you.
Get in touch with our news team by emailing us at [email protected].
For more stories like this, check our news page.
MORE: People are placing bets on which five escaped New Orleans prisoners will be caught last
MORE: Stalker detective tried to ‘destroy’ ex’s life by lying he was a paedophile
MORE: School boys deny throwing massive seat over balcony at Westfield
