In what has been described as an “extraordinarily refined phishing assault,” menace actors have leveraged an unusual method that allowed bogus emails to be despatched by way of Google’s infrastructure and redirect message recipients to fraudulent websites that harvest their credentials.
“The very first thing to notice is that this can be a legitimate, signed electronic mail – it actually was despatched from no-reply@google.com,” Nick Johnson, the lead developer of the Ethereum Identify Service (ENS), said in a sequence of posts on X.
“It passes the DKIM signature test, and Gmail shows it with none warnings – it even places it in the identical dialog as different, respectable safety alerts.”
The e-mail message informs potential targets of a subpoena from a regulation enforcement authority asking for unspecified content material current of their Google Account and urges them to click on on a websites.google[.]com URL to be able to “look at the case supplies or take measures to submit a protest.”
The Google Websites URL shows a lookalike web page that impersonates the respectable Google Help web page, and consists of buttons to “add extra paperwork” or “view case.” Clicking on both of the choices takes the sufferer to a reproduction Google Account sign-in web page, the one distinction being that it is hosted on Google Websites.
“websites.google.com is a legacy product from earlier than Google obtained critical about safety; it permits customers to host content material on a google.com subdomain, and crucially it helps arbitrary scripts and embeds,” Johnson stated.
“Clearly this makes constructing a credential harvesting web site trivial; they merely should be ready to add new variations as previous ones get taken down by Google’s abuse group. It helps the attackers that there is no technique to report abuse from the Websites interface, too.”
A intelligent side of the assault is the truth that the email message has the “Signed by” header set to “accounts.google[.]com” regardless of it having a “Mailed by” header with a totally unrelated area (“fwd-04-1.fwd.privateemail[.]com”).
The malicious exercise has been characterised as a DKIM replay attack, the place the attacker first creates a Google Account for a newly created area (“me@
“Now they grant their OAuth app entry to their ‘me@…’ Google account,” Johnson stated. “This generates a ‘Safety Alert’ message from Google, despatched to their ‘me@…’ electronic mail deal with. Since Google generated the e-mail, it is signed with a sound DKIM key and passes all of the checks.”
The attacker then proceeds to ahead the identical message from an Outlook account, protecting the DKIM signature intact, and inflicting the message to bypass electronic mail safety filters, in response to EasyDMARC. The message is subsequently relayed via a customized Easy Mail Switch Protocol (SMTP) service referred to as Jellyfish and obtained by Namecheap’s PrivateEmail infrastructure that facilitates mail forwarding to the focused Gmail account.
“At this level, the e-mail reaches the sufferer’s inbox wanting like a sound message from Google, and all authentication checks present as passing SPF, DKIM, and DMARC,” EasyDMARC CEO Gerasim Hovhannisyan said.
“As a result of they named their Google account ‘me@’, GMail reveals the message was despatched to ‘me’ on the high, which is the shorthand it makes use of when a message is addressed to your electronic mail deal with – avoiding one other indication that may ship up pink flags,” Johnson identified.
When reached for remark, Google informed The Hacker Information that it has rolled out fixes to cease the abuse pathway and emphasised that the corporate neither asks for account credentials, similar to passwords or one-time passwords, nor immediately calls customers.
“We’re conscious of this class of focused assault from this menace actor, and have rolled out protections to close down this avenue for abuse,” a Google spokesperson stated. “Within the meantime, we encourage customers to undertake two-factor authentication and passkeys, which give sturdy safety towards these sorts of phishing campaigns.”
The disclosure comes practically 9 months after Guardio Labs revealed a now-patched misconfiguration in electronic mail safety vendor Proofpoint’s defenses that menace actors exploited to ship hundreds of thousands of messages spoofing varied standard corporations like Finest Purchase, IBM, Nike, and Walt Disney, and bypass authentication measures.
It additionally coincides with a surge in phishing campaigns that make use of attachments in Scalable Vector Graphics (SVG) format to set off the execution of HTML code that, in flip, redirects customers to a rogue Microsoft login kind or a faux net web page masquerading as Google Voice to entice them into getting into their credentials.
Russian cybersecurity firm Kaspersky stated it has noticed over 4,100 phishing emails with SVG attachments because the begin of 2025.
“Phishers are relentlessly exploring new strategies to avoid detection,” Kaspersky said. “They range their techniques, typically using person redirection and textual content obfuscation, and different occasions, experimenting with totally different attachment codecs. The SVG format offers the aptitude to embed HTML and JavaScript code inside photos, which is misused by attackers.”
Source link