Skip to content
RamGamingCybersecurityReviewTechnologyLaptopDisplay

Gmail's security is being deceived by a novel phishing strategy. Here's a breakdown of the method used:

Hackers exploit Google accounts via a deceitful tactic that leverages Gmail's security features to deceive users.

 and  Administrator
3 min read
Hackers have devised a fresh tactic to infiltrate your Google accounts, and it involves exploiting...
Hackers have devised a fresh tactic to infiltrate your Google accounts, and it involves exploiting Gmail's security features to deceive users.

Gmail's security is being deceived by a novel phishing strategy. Here's a breakdown of the method used:

Cunning Phishing Attacks on Steroids: Google's Infrastructure Under siege

These days, phishing attacks are rampant, and Google isn't an exception. Despite constant warnings to be vigilant, hackers find new ways to trick us. Some stick to the old ways, sending fake emails supposedly from Apple, Amazon, or Facebook using random emails, but the smarter ones have upped their game with stealthy methods that make it almost impossible to distinguish a fake from the real deal.

Here's a chilling account from software developer, Nick Johnson, of a highly sophisticated phishing attack that is a clear vulnerability in Google's infrastructure. This attack is so slick it might become the new norm unless Google decides to fix it soon.

Johnson received an email that appeared to be a legitimate notification from Google. It claimed that the company had been served with a subpoena, and he was asked to provide a copy of his Google account content. Although the email seemed easy to dismiss by looking at who sent it, it came from a Google email account, [email protected], that passed the DomainKeys Identified Mail (DKIM) check. To make things even more disconcerting, the email sorted itself within Google security alerts within his inbox.

Clicking the link led to a very convincing Google sign-in page, the only difference being that the URL was "sites.google.com" instead of "accounts.google.com." Johnson rightfully quit the attempt, believing it was where the cybercriminals would have snatched his data.

Recently, I found myself on the receiving end of an extremely sophisticated phishing attack. I want to shed light on it here. This attack exploits Google's infrastructure in a way that's scary, and given their reluctance to patch it, we're likely to see it more often. Here's the email I received: pic.twitter.com/tScmxj3um6

So how did the hackers pull off this sophisticated scam using a seemingly legitimate email from Google and a fake site that is still a Google website? Johnson came up with a theory.

The first step was to create a site using an old Google product. As Johnson tweeted, "The fake portal is fairly straightforward. sites.google.com is a legacy product from before Google got serious about security; it allows users to host content on a http://google.com subdomain, and crucially it supports arbitrary scrips and embeds."

Next, the malefactors create a Google account using a fake domain that has been registered. In Johnson's example, they used the email "me@domain." Then, they create a Google OAuth application, a task that can be accomplished quickly by a knowledgeable developer. The application is given the title of the phishing message with all its spacing and wording found on a Google email, including a line for "Google Legal Support" in Johnson's case.

From here, they grant OAuth app access to the Google account they created, "me@domain," in the case of Johnson's example. This then triggers a "Security Alert" message from Google to be generated, which contains the phishing text. The attacker forwards the phishing email to the victim, which passes the DKIM check, appears to come from a legitimate Google email, and has a link to the fake site.

April 16, 2025

Despite Johnson sharing this issue with Google, their response wasn't satisfactory.

"I've submitted a bug report to Google about this; unfortunately, they closed it as 'Working as Intended' and explained that they don't consider it a security bug. Obviously, I disagree, but until they change their mind, be on the lookout for deceptive security alerts from Google," Johnson wrote. He later said that the company changed its stance.

"Outstanding news: Google has reconsidered and will be fixing the oauth bug," he tweeted. Google confirmed they are working on a solution.

"We're aware of this class of targeted attack from the threat actor, Rockfoils, and have been rolling out protections for the past week. These protections will soon be fully deployed, which will shut down this avenue for abuse," the company told Newsweek. "In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns."

Google is taking action.

This method is a sophisticated advancement in phishing techniques that requires us all to remain vigilant. Users must be attentive to unexpected emails and links, even those appearing to come from trusted sources, especially if they demand urgent actions or sensitive data requests.

  1. The sophisticated phishing attack Nick Johnson experienced used Google's legacy product, sites.google.com, to host a fake portal that mimicked a Google sign-in page, showcasing an advancement in phishing techniques.
  2. The hackers created a Google account using a fake domain and a Google OAuth application to generate a "Security Alert" message from Google, which contained the phishing text and appeared legitimate due to passing the DKIM check.
  3. To counteract such phishing attacks, users should remain vigilant, be wary of unexpected emails and links, even from seemingly trusted sources, and adopt additional security measures such as two-factor authentication and passkeys.

Read also:

    Related

    Latest