- Joined
- Jun 19, 2023
- Messages
- 1,031
- Reaction score
- 2,126
- Points
- 133
- Age
- 46
- Location
- Canada
- Faith
- Reformed (URCNA)
- Country
- Canada
- Marital status
- Married
- Politics
- Kingdom of God
TL/DR:
There is a sophisticated phishing attack that exploits Google's infrastructure to send emails from a legitimate Google address, passing all security checks. The emails claim to involve a legal subpoena and link to a fake Google support page hosted on Google Sites to steal login credentials. Attackers used a DKIM replay attack and OAuth misconfiguration to generate authentic-looking Gmail alerts. Because the messages appear valid and are often threaded with real alerts, they are highly convincing.
The issue: Attackers are exploiting Google’s own systems to send phishing emails from a legitimate Google address that passes all security checks.
The trick: They use a DKIM replay attack and OAuth misconfiguration to deliver fake alerts, linking to phishing pages hosted on a Google subdomain.
The impact: The scam has already led to a $4.3 million crypto theft, with ongoing risks to Gmail users as authorities intervene and Google scrambles to patch the flaw.
The takeaway: Don’t trust unexpected login prompts or urgent emails—even from trusted sources—without verifying the sender and the URL.
SUMMARY:
Nick Johnson, an Ethereum Name Service (ENS) developer, reported a sophisticated phishing attack (April 16, 2025) exploiting Google’s infrastructure. (For a fuller explanation of the phishing attack, see this article by Gerasim Hovhannisyan at EasyDMARC.) The email appeared to be legitimate, as if sent from [email protected] with a valid DKIM check and threaded with other Google alerts he had received. It claimed that a legal subpoena had required account content access, and linked him to a fake support portal on sites.google.com designed to harvest his credentials. Both Johnson and Hovhannisyan detail a sophisticated DKIM replay attack using OAuth, as described below.
THE ISSUE:
Cybercriminals have figured out a clever way to send fake emails that look exactly like they’re from Google, because they really are sent from "[email protected]." The email Johnson received had claimed that Google had received a subpoena from law enforcement for his account information and urged him to click a link to a support portal to "examine the case materials" or "submit a protest." The emails pass Google’s own security checks (e.g., DKIM signatures) and show up alongside real security alerts in your Gmail, which makes them quite convincing. The link takes you to a fake Google support page hosted on Google Sites, where you are asked to log in—and now the scammers have your username and password. The fact that it's hosted on sites.google.com (instead of accounts.google.com) is the only obvious hint that it's a phishing scam.
THE TRICK:
The attackers exploit two weaknesses in Google’s system:
1. Google Sites vulnerability: The web site creation tool from Google allowed users to host web pages with scripts and embeds, which hackers use to create realistic-looking phishing pages using a Google subdomain.
2. OAuth misconfiguration: Hackers set up a fake Google account (with the word "me" in it) and OAuth app, naming it with the phishing message text. This triggers an alert generated by Gmail—and therefore signed with a valid DKIM key and passing all the checks—which the hackers subsequently forward to their intended victims and shows up as a legitimate message in the user's inbox.
"Since forwarding services often preserve the original message as-is," Hovhannisyan said, "especially in cases like aliasing or server-side forwarding, the DKIM signature remains valid and can still be verified using the sender’s public DNS record."
And because they named their fake Google account "me@[some domain address here]," Gmail shows the message was sent to "me" at the top—which is the shorthand Google itself uses when a message is addressed to your email address—thereby avoiding another indication that might have otherwise sent up red flags. (In Johnson's case, the fake Google account used by the hackers was [email protected]. In the other example shared by Hovhannisyan, they used [email protected].)
THE IMPACT:
This scam has already been linked to a $4.3 million crypto wallet theft, with U.S. and Canadian authorities stepping in to disrupt related attacks. It’s targeting tech-savvy users, including cryptocurrency enthusiasts, but anyone with a Gmail account could be at risk. Google initially dismissed it as "working as intended," but after public pressure, they’re now working on a fix—though it’s not fully rolled out yet (as of August 2025).
KEY TAKEAWAY:
"Always question unexpected emails, especially those urging urgent action or containing links to login pages," Hovhannisyan said. "Just because something looks like it comes from Google (or any other trusted source) doesn’t mean it’s safe. When in doubt, don’t click, don’t reply, and don’t engage. Escalate to your security team or a professional who can handle the investigation in a secure, sandboxed environment."
There is a sophisticated phishing attack that exploits Google's infrastructure to send emails from a legitimate Google address, passing all security checks. The emails claim to involve a legal subpoena and link to a fake Google support page hosted on Google Sites to steal login credentials. Attackers used a DKIM replay attack and OAuth misconfiguration to generate authentic-looking Gmail alerts. Because the messages appear valid and are often threaded with real alerts, they are highly convincing.
The issue: Attackers are exploiting Google’s own systems to send phishing emails from a legitimate Google address that passes all security checks.
The trick: They use a DKIM replay attack and OAuth misconfiguration to deliver fake alerts, linking to phishing pages hosted on a Google subdomain.
The impact: The scam has already led to a $4.3 million crypto theft, with ongoing risks to Gmail users as authorities intervene and Google scrambles to patch the flaw.
The takeaway: Don’t trust unexpected login prompts or urgent emails—even from trusted sources—without verifying the sender and the URL.
Never click on links or follow instructions in suspicious emails, no matter how legitimate they may seem. Even opening a link or downloading a file could trigger malicious scripts or redirect you to phishing sites designed to steal your credentials.
Nick Johnson, an Ethereum Name Service (ENS) developer, reported a sophisticated phishing attack (April 16, 2025) exploiting Google’s infrastructure. (For a fuller explanation of the phishing attack, see this article by Gerasim Hovhannisyan at EasyDMARC.) The email appeared to be legitimate, as if sent from [email protected] with a valid DKIM check and threaded with other Google alerts he had received. It claimed that a legal subpoena had required account content access, and linked him to a fake support portal on sites.google.com designed to harvest his credentials. Both Johnson and Hovhannisyan detail a sophisticated DKIM replay attack using OAuth, as described below.
THE ISSUE:
Cybercriminals have figured out a clever way to send fake emails that look exactly like they’re from Google, because they really are sent from "[email protected]." The email Johnson received had claimed that Google had received a subpoena from law enforcement for his account information and urged him to click a link to a support portal to "examine the case materials" or "submit a protest." The emails pass Google’s own security checks (e.g., DKIM signatures) and show up alongside real security alerts in your Gmail, which makes them quite convincing. The link takes you to a fake Google support page hosted on Google Sites, where you are asked to log in—and now the scammers have your username and password. The fact that it's hosted on sites.google.com (instead of accounts.google.com) is the only obvious hint that it's a phishing scam.
THE TRICK:
The attackers exploit two weaknesses in Google’s system:
1. Google Sites vulnerability: The web site creation tool from Google allowed users to host web pages with scripts and embeds, which hackers use to create realistic-looking phishing pages using a Google subdomain.
2. OAuth misconfiguration: Hackers set up a fake Google account (with the word "me" in it) and OAuth app, naming it with the phishing message text. This triggers an alert generated by Gmail—and therefore signed with a valid DKIM key and passing all the checks—which the hackers subsequently forward to their intended victims and shows up as a legitimate message in the user's inbox.
"Since forwarding services often preserve the original message as-is," Hovhannisyan said, "especially in cases like aliasing or server-side forwarding, the DKIM signature remains valid and can still be verified using the sender’s public DNS record."
And because they named their fake Google account "me@[some domain address here]," Gmail shows the message was sent to "me" at the top—which is the shorthand Google itself uses when a message is addressed to your email address—thereby avoiding another indication that might have otherwise sent up red flags. (In Johnson's case, the fake Google account used by the hackers was [email protected]. In the other example shared by Hovhannisyan, they used [email protected].)
THE IMPACT:
This scam has already been linked to a $4.3 million crypto wallet theft, with U.S. and Canadian authorities stepping in to disrupt related attacks. It’s targeting tech-savvy users, including cryptocurrency enthusiasts, but anyone with a Gmail account could be at risk. Google initially dismissed it as "working as intended," but after public pressure, they’re now working on a fix—though it’s not fully rolled out yet (as of August 2025).
KEY TAKEAWAY:
"Always question unexpected emails, especially those urging urgent action or containing links to login pages," Hovhannisyan said. "Just because something looks like it comes from Google (or any other trusted source) doesn’t mean it’s safe. When in doubt, don’t click, don’t reply, and don’t engage. Escalate to your security team or a professional who can handle the investigation in a secure, sandboxed environment."
