Security News Phishers abuse Google OAuth to spoof Google in DKIM replay attack

Gandalf_The_Grey

Gandalf_The_Grey

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,824
Content source
https://www.bleepingcomputer.com/news/security/phishers-abuse-google-oauth-to-spoof-google-in-dkim-replay-attack/
In a rather clever attack, hackers leveraged a weakness that allowed them to send a fake email that seemed delivered from Google’s systems, passing all verifications but pointing to a fraudulent page that collected logins.

The attacker leveraged Google’s infrastructure to trick recipients into accessing a legitimate-looking “support portal” that asks for Google account credentials.

The fraudulent message appeared to come from “no-reply@google.com” and passed the DomainKeys Identified Mail (DKIM) authentication method but the real sender was different.
Click to expand...
Nick Johnson, the lead developer of the Ethereum Name Service (ENS), received a security alert that seemed to be from Google, informing him of a subpoena from a law enforcement authority asking for his Google Account content.

Almost everything looked legitimate and Google even placed it with other legitimate security alerts, which would likely trick less technical users that don’t know where to look for the signs of fraud.

However, Johnson’s keen eye spotted that the fake support portal in the email was hosted on sites.google.com - Google’s free web-building platform, which raised suspicion.
Click to expand...
A similar trick has been tried on other platforms than Google. In March, a campaign targeting PayPal users relied on the same method, where fraudulent messages originated from the financial company’s mail servers and passed DKIM security checks.
Click to expand...
www.bleepingcomputer.com

Phishers abuse Google OAuth to spoof Google in DKIM replay attack

In a rather clever attack, hackers leveraged a weakness that allowed them to send a fake email that seemed delivered from Google's systems, passing all verifications but pointing to a fraudulent page that collected logins.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • Wow
  • Thanks
Reactions: Zero Knowledge, Captain Awesome, Berny and 6 others
Wrecker4923

Wrecker4923

Level 2
Apr 11, 2024
71
I think he raised these issues:
  1. The expanded "to" is weird. (It's not your email address.)
  2. The "mailed by" is not from Google. (This would be more evident if compared to the security email from Google that you keep.)
  3. sites.google.com is untypical of Google's notifications.
Some people think that just the content alone should have been obvious. I personally don't think so; I am unfamiliar with many Google/legal processes. Using a chatbot may help (or at least slow you down a bit). Bitdefender's Scamio definitively flags this as a scam based on the email contents alone:

Bitdefender Scamio

scamio.bitdefender.com scamio.bitdefender.com
 
  • Like
  • Hundred Points
Reactions: Zero Knowledge, Captain Awesome, simmerskool and 2 others

Similar threads

Brownie2019
    • Like
    • Thanks
Security News Microsoft Warns of Node.js Abuse for Malware Delivery
Replies
0
Views
307
Security News
Brownie2019
Brownie2019
Jonny Quest
    • Like
    • Hundred Points
Security News Malicious Chrome extensions can spoof password managers in new attack
Replies
18
Views
2,209
Security News
lokamoka820
lokamoka820
Gandalf_The_Grey
    • Like
Security News Fake Google Meet conference errors push infostealing malware
Replies
2
Views
1,659
Security News
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top