- Scammers abuse Google notification system to bypass email protection
- Thanks to oauth applications, they are able to generate convincing phishing emails
- The campaign also uses sites.google.com
The researchers discovered an intelligent and developed phishing scheme that abused Google services to encourage people to give their identification information for the platform.
The main developer of the name of Ethereum, Nick Johnson, recently received an e-mail that seemed to come from [email protected]. The email said that the police have assigned Google for the content found in its Google account.
He said that the email looked legitimate and that it was very difficult to identify that it was really false. He thinks that the less technical users could very easily fall into the thing.
Signed DKIM
Apparently, the crooks would first create a Google account for me @ estate. Then, they would create a Google Oauth application and put the full phishing message (about false assignment) in the name field.
Then they grant access to the email address in Google Workspace.
Google would then send a notification email to the Me Domain account, but as the phishing message was in the name field, it would cover the whole screen.
The scrolling down of the email would show clear signs that something was wrong, because at the bottom, you could read on access to the E-mail address of Domaine Me @.
The last step is to transmit e-mail to the victim. “Since Google has generated the email, it is signed with a valid DKIM key and passes all the checks,” said Johnson how emails landed in the people’s reception box and not in spam.
The attack is called a “Dkim reproductive phishing attack” because it is based on the fact that in Google systems, Dkim only checks the message and the headers, not the envelope. Since the Crooks first recorded the address of Domaine Me @, Google will display it as if it had been delivered to their email address.
To hide their intentions even further, Crooks used sites.google.com to create the destination page for identification information. This is the free web construction platform of Google and should always increase red flags when spotted.
Via Bleeping Compompute
