- Criminals are abusing Google notification system to avoid email protection
- Through Oauth applications, they can generate convincing phishing emails
- The campaign also uses sites.google.com
Researchers have discovered an intelligent and elaborate Phishing scheme that abused Google’s services to deceive people to give their credentials for the platform.
The main developer of the Ethereum name service, Nick Johnson, recently received an email that seemed to have come from [email protected]. The email said that the application of the law cited Google for the content found in its Google account.
He said that email seemed legitimate and that it was very difficult to detect that it is actually false. He believes that fewer technical users could easily fall for the trick.
Dkim signed
Apparently, criminals would first create a Google account for me@domain. Then, they would create a Google Oauth application and put the entire Phishing message (on the false citation) in the name field.
Then, access to the email address in Google’s work space would be granted.
Google would send a notification email to Me@Domain account, but since Phishing’s message was in the name field, I would cover the entire screen.
Scroll to the bottom of the email message would show clear signs that something was wrong, since at the bottom I could read about access to the email address me@domain.
The last step is to forward the email to the victim. “Since Google generated the email, it is signed with a valid DKIM key and passes all the verifications,” Johnson explained how the emails landed on the entrance tray of the people and not in the spam.
The attack is called “Dkim Replay Phishing Attack”, since it relies on the fact that in Google systems, DKIM only verifies the message and the headers, not the envelope. Since the Crooks first recorded the Me@Domain address, Google will show it as if you were delivered to your email address.
To further hide their intentions, criminals used sites.google.com to create the credential collection destination page. This is Google’s free web construction platform and you must always lift red flags when you see.
Through Bleepingcomputer
