(Credit: Fabian Sommer/picture alliance via Getty Images)
Phishing emails are becoming increasingly difficult to differentiate from legitimate ones, as highlighted by developer Nick Johnson, who says he was "targeted by an extremely sophisticated phishing attack [that] exploits a vulnerability in Google's infrastructure."
The email he received came from no-reply@accounts.google.com, which "passes the DKIM [DomainKeys Identified Mail] signature check," he notes. Gmail did not display any warning, and "even puts it in the same conversation as other, legitimate security alerts."
The email warned Johnson that Google had received a subpoena to produce a copy of his Google account. Clicking on a link inside the email "takes you to a very convincing 'support portal' page" hosted on sites.google.com. This tactic is "clever," Johnson says, because "people will see the domain is http://google.com and assume it's legit."
Clicking "Upload additional documents" or "View case" takes you to sign-in page; if you enter your details, the scammers will "presumably...harvest your login credentials and use them to compromise your account," he says.
How did the hackers spoof a valid email? Johnson blames "two vulnerabilities in Google's [infrastructure] that they have declined to fix." First, the legacy sites.google.com product dates back to "before Google got serious about security." People can host content on a google.com subdomain, "and crucially, it supports arbitrary scripts and embeds," he says.
"Obviously, this makes building a credential harvesting site trivial; they simply have to be prepared to upload new versions as old ones get taken down by Google's abuse team," Johnson says. "It helps the attackers that there's no way to report abuse from the Sites interface, too." He's calling on Google to disable scripts and arbitrary embeds in Sites as it's "too powerful a phishing vector."
The email itself, meanwhile, which takes advantage of Google OAuth and Google's practice of using "me" when referring to your own emails, is "much more sophisticated, and in my opinion much more obviously a security issue on Google's part," he says.
Johnson says he reported the issue to Google, which said it wasn't a bug. However, later on, Google acknowledged the bug and promised to roll out a fix.
"We're aware of this class of targeted attack from the threat actor, Rockfoils, and have been rolling out protections for the past week," a Google spokesperson tells Newsweek. "These protections will soon be fully deployed, which will shut down this avenue for abuse."
Until the fix arrives, Google recommends adopting multi-factor authentication and passkeys for stronger protection against phishing attacks.
And stay alert because anyone can be duped. This Gmail scam comes after a hacker managed to phish Troy Hunt, the creator of HaveIBeenPwned.com, tricking the security expert into clicking a malicious email while he was jetlagged.
If you did fall for this or any other Gmail scam, Google tells Forbes that people have seven days to try to recover their accounts. Provided you had a recovery phone number and email attached to the account, you may be able to send sign-in codes to those accounts for up to a week, even if a scammer has changed them, Google says.