Phishing emails are becoming increasingly difficult to differentiate from legitimate ones, as highlighted by developer Nick Johnson, who says he was “targeted by an extremely sophisticated phishing attack [that] exploits a vulnerability in Google’s infrastructure.”
The email he received came from [email protected], which “passes the DKIM [DomainKeys Identified Mail] signature check,” he notes. Gmail did not display any warning, and “even puts it in the same conversation as other, legitimate security alerts.”
This Tweet is currently unavailable. It might be loading or has been removed.
The email warned Johnson that Google had received a subpoena to produce a copy of his Google account. Clicking on a link inside the email “takes you to a very convincing ‘support portal’ page” hosted on sites.google.com. This tactic is “clever,” Johnson says, because “people will see the domain is http://google.com and assume it’s legit.”
Clicking “Upload additional documents” or “View case” takes you to sign-in page; if you enter your details, the scammers will “presumably…harvest your login credentials and use them to compromise your account,” he says.
How did the hackers spoof a valid email? Johnson blames “two vulnerabilities in Google’s [infrastructure] that they have declined to fix.” First, the legacy sites.google.com product dates back to “before Google got serious about security.” People can host content on a google.com subdomain, “and crucially, it supports arbitrary scripts and embeds,” he says.
“Obviously, this makes building a credential harvesting site trivial; they simply have to be prepared to upload new versions as old ones get taken down by Google’s abuse team,” Johnson says. “It helps the attackers that there’s no way to report abuse from the Sites interface, too.” He’s calling on Google to disable scripts and arbitrary embeds in Sites as it’s “too powerful a phishing vector.”
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
The email itself, meanwhile, which takes advantage of Google OAuth and Google’s practice of using “me” when referring to your own emails, is “much more sophisticated, and in my opinion much more obviously a security issue on Google’s part,” he says.
Johnson says he reported the issue to Google, which said it wasn’t a bug. However, later on, Google acknowledged the bug and promised to roll out a fix.
Recommended by Our Editors
“We’re aware of this class of targeted attack from the threat actor, Rockfoils, and have been rolling out protections for the past week,” a Google spokesperson tells Newsweek. “These protections will soon be fully deployed, which will shut down this avenue for abuse.”
Until the fix arrives, Google recommends adopting multi-factor authentication and passkeys for stronger protection against phishing attacks.
And stay alert because anyone can be duped. This Gmail scam comes after a hacker managed to phish Troy Hunt, the creator of HaveIBeenPwned.com, tricking the security expert into clicking a malicious email while he was jetlagged.
About Jibin Joseph
Contributor
