Security researchers are raising the alarm against a clever attack carried out by hackers who used a weakness inside Google systems. They managed to roll out a fake email that appeared very real. This email was able to bypass all verifications and hinted at a fake page used to collect logins.
The attacker made the best use of Google’s infrastructure to deceive recipients. It managed to appear so real and even linked it to a support portal that would be hard to distinguish between anything real and fake. It also asked for Google credentials for another step to make it appear so real.
The fake message came from no-reply@google.com and even managed to pass the DKIM method for verification, but in that case, the actual sender was not the same.
The head developer from ENS shared his experience and how he was also sent an email from this fake account. Everything seemed so real, and it appeared like a legitimate security alert from the company.
He was informed about a subpoena asking for his Google Account details. Most users would be easily tricked, especially those who didn’t know where to look for signs of fraud. But Johnson’s eye for detail could see the fake support portal in that email that was hosted across sites.google.com, which is the company’s free web-building platform.
As shared by experts, coming from a Google domain, the chances of being tricked into assuming that something is fake are really high. In this case, the duplicate was as close to the real support portal as one can imagine.
As per the developer, the real intention of the phishing actor was to capture credentials that would compromise the account belonging to the recipient. Fake portals featuring messages that pass the DKIM verification feature of Google are where the trouble lies. They’re known as replay phishing attacks and cannot be identified as others.
Closer looks shared how the mailer's header features another address than Google’s no-reply, and the recipient is me@address in a domain that makes it seem like it originated from Google only.
The message was signed and delivered by the company, and only those with a keen eye for detail didn’t fall into the trap.
Experts did manage to put all the clues they’ve left behind together to figure out how the attack was orchestrated. It included registering domains and producing Google accounts for me@domain. The selection of what comes in the me part for usernames is where the clever part exists, as per the developer.
The attacker would then produce a Google OAuth application and use the name for the whole phishing message. There’s a certain point where the message featured so much whitespace to seem like it ended and to distinguish it from the company’s alerts about getting access to the attacker’s email address.
Once that’s done on Google Workspace, the company rolls out security alerts to the specific inbox. Since Google is in charge of producing emails, it signs them with actual DKIM keys and passes them through all the respective checkpoints. The weakness lies inside Google’s systems, as the DKIM only sees the message and any headers without the envelope. Hence, fake emails bypass signature verification and appear so real inside the inbox of recipients.
Previous incidents where such a technique was used include PayPal, where the system was abused by phishing actors. Fake messages began from the financial firm’s mail servers and bypassed all security checks of DKIM. Here, attackers utilized gift address options to combine new emails with respective PayPal accounts.
For now, Google is working to fix any security loopholes that might exist. This includes the company’s Google OAuth application that’s used by millions.
Read next: Search Data Reveals: Meta's Facebook, Twitch, and Likee Experience Major Declines in Popularity
The attacker made the best use of Google’s infrastructure to deceive recipients. It managed to appear so real and even linked it to a support portal that would be hard to distinguish between anything real and fake. It also asked for Google credentials for another step to make it appear so real.
The fake message came from no-reply@google.com and even managed to pass the DKIM method for verification, but in that case, the actual sender was not the same.
The head developer from ENS shared his experience and how he was also sent an email from this fake account. Everything seemed so real, and it appeared like a legitimate security alert from the company.
He was informed about a subpoena asking for his Google Account details. Most users would be easily tricked, especially those who didn’t know where to look for signs of fraud. But Johnson’s eye for detail could see the fake support portal in that email that was hosted across sites.google.com, which is the company’s free web-building platform.
As shared by experts, coming from a Google domain, the chances of being tricked into assuming that something is fake are really high. In this case, the duplicate was as close to the real support portal as one can imagine.
As per the developer, the real intention of the phishing actor was to capture credentials that would compromise the account belonging to the recipient. Fake portals featuring messages that pass the DKIM verification feature of Google are where the trouble lies. They’re known as replay phishing attacks and cannot be identified as others.
Closer looks shared how the mailer's header features another address than Google’s no-reply, and the recipient is me@address in a domain that makes it seem like it originated from Google only.
The message was signed and delivered by the company, and only those with a keen eye for detail didn’t fall into the trap.
Experts did manage to put all the clues they’ve left behind together to figure out how the attack was orchestrated. It included registering domains and producing Google accounts for me@domain. The selection of what comes in the me part for usernames is where the clever part exists, as per the developer.
The attacker would then produce a Google OAuth application and use the name for the whole phishing message. There’s a certain point where the message featured so much whitespace to seem like it ended and to distinguish it from the company’s alerts about getting access to the attacker’s email address.
Once that’s done on Google Workspace, the company rolls out security alerts to the specific inbox. Since Google is in charge of producing emails, it signs them with actual DKIM keys and passes them through all the respective checkpoints. The weakness lies inside Google’s systems, as the DKIM only sees the message and any headers without the envelope. Hence, fake emails bypass signature verification and appear so real inside the inbox of recipients.
Previous incidents where such a technique was used include PayPal, where the system was abused by phishing actors. Fake messages began from the financial firm’s mail servers and bypassed all security checks of DKIM. Here, attackers utilized gift address options to combine new emails with respective PayPal accounts.
For now, Google is working to fix any security loopholes that might exist. This includes the company’s Google OAuth application that’s used by millions.
Read next: Search Data Reveals: Meta's Facebook, Twitch, and Likee Experience Major Declines in Popularity
