14 hours ago
1
It’s a digital wolf in sheep’s clothing.
Phishing messages are becoming nearly indistinguishable from the real deal. Now, techsperts are warning of a super “sophisticated” Google spoofing scheme in which cybercriminals use legitimate-looking Gmail communications to hijack user accounts.
Nick Johnson, the lead developer of Ethereum Name Service (ENS), brought this digital Trojan Horse to light in a series of X posts.
“Recently I was targeted by an extremely sophisticated phishing attack, and I want to highlight it here,” he wrote while describing the chameleonic scheme. “It exploits a vulnerability in Google’s infrastructure, and given their refusal to fix it, we’re likely to see it a lot more.”
In this case, the phishing scam was disguised as an official request by law enforcement.
“This notice is to alert you that a subpoena was issued to Google LLC by a law enforcement that seeks retrieval of information contained in your Google account,” it read, per a screenshot of the message. “To examine the case materials or take measures to submit a protest, please do so in the provided Google Support Case.”
Upon clicking on “upload additional documents” or “view case,” the user is taken to a sign-in page to input their credentials, whereupon bad actors will presumably use them to commander their account.
“I haven’t gone further to check,” Johnson noted.
The correspondence was particularly insidious as it linked to a very convincing ‘support portal’ page.
The cyberspoofers also used Google Sites — a free web-based platform for creating websites without needing coding skills — “because they know people will see the domain is http://google.com and assume it’s legit,” said Johnson.
To make things more confusing, the email originated from an official no-reply on Google’s domain and was filed “in the same conversation as other, legitimate security alerts,” the tech whiz warned.
How did the hackers manage to fly under the radar? Johnson pointed to “two vulnerabilities in Google’s [infrastructure] that they have declined to fix.”
He wrote that the legacy sites.google.com product dates back to “before Google got serious about security,” and allows anyone to host content on a google.com subdomain, including nefarious embeds and scripts such as the above.
“Obviously, this makes building a credential harvesting site trivial; they simply have to be prepared to upload new versions as old ones get taken down by Google’s abuse team,” Johnson said.
Fortunately, there are a few ways to suss out this masquerade.
For one, while the header is signed by accounts.google.com, it is sent via privateemail.com and sent to the address “me@blah,” the cybersecurity maven wrote.
Also suspect, per Johnson is that there is “a lot of whitespace” below the phishing message “followed by ‘Google Legal Support was granted access to your Google Account’ and the odd me@… email address again.”
In light of the incident, Johnson is calling on Google to disable scripts and arbitrary embeds in Sites to make Gmail less susceptible to phishing.
The Post has contacted Google for comment.
English (US)