Google vulnerability enables convincing phishing attack targeting crypto users

Source Cryptopolitan

Ethereum Name Service (ENS) lead developer Nick Johnson has alerted crypto users to a new form of phishing scam involving Google infrastructure. In a post on X, Johnson explained how scammers exploit a vulnerability in Google infrastructure.

According to Johnson, scammers can send valid mail informing users that a subpoena has been served on Google to surrender information to their Google account. This security alert, which looks completely real, asks the user to protest the subpoena or examine the case materials.

Google Vulnerability
Fake phishing email that appears to be from Google (Source: Nick Johnson)

He said:

“The first thing to note is that this is a valid, signed email – it really was sent from no-reply@google.com. It passes the DKIM signature check, and GMail displays it without any warnings – it even puts it in the same conversation as other, legitimate security alerts.”

Once users click on the link in the email, they have to sign the purported support page. However, the support portal has sites.google.com as its URL, a ploy to deceive users into thinking it is genuine. According to Johnson, this fake support page is likely a phishing site where scammers harvest users’ login credentials.

The ENS developer noted that the vulnerability will likely remain, especially since Google has refused to act on it. Therefore, it is important for users to be aware and protect themselves.

Scammers exploiting Google Sites to create fake support pages

Meanwhile, Johnson explained how bad actors created fake Google Support pages that looked real. According to him, sites.google.com is a legacy product from the tech giant that allows users to host their content on the Google.com subdomain.

He noted that the product allows scrips and embeds, which is how scammers are able to build credential harvesting sites on the Google subdomain and upload new ones whenever the Google team removes the older versions.

Johnson said:

“Google long ago realised that hosting public, user-specified content on google.com is a bad idea, but Google Sites has stuck around.”

However, he noted that the only solution to this problem is for Google to disable scrips and arbitrary embeds for its Google Sites, as this makes the product a powerful phishing tool for scammers.

Bug report to Google

Interestingly, the scammers are generating the fake security alert email by exploiting a bug in Gmail. In his analysis of the email, Johnson pointed to clues such as the email header showing it was sent by “privateemail.com”, the recipient being ‘me@blah,’ and the white space below the phishing message.

According to him, the scammers did this by creating a Google account for Me@domain. After that, they created a Google OAuth application using the text in the phishing email, whitespace, and “Google Legal Support” as the application name.

Once they had done this, they granted the OAuth app access to their ‘me@…’ Google account, allowing them to generate the Security Alert Message from Google to the me@email. They forwarded this security alert to all potential targets.

Since Google generated the original security alert email, it was signed with a valid DKIM key, bypassed all the security checks, and appeared as a legitimate message in the user’s inbox.

However, Johnson said he submitted a report about the bug to Google but the tech giant has decided not to address it. Instead, the Google security team closed the report, noting that the feature is “Working as Intended,” which means they did not consider it a bug.

Meanwhile, the report of phishing scammers exploiting Google vulnerabilities to steal users’ information highlights multiple threats facing crypto users. Only few days ago, security experts claimed that hackers are using InfoStealers malware to steal users credentials from Browsers.

Cryptopolitan Academy: Tired of market swings? Learn how DeFi can help you build steady passive income. Register Now

Disclaimer: For information purposes only. Past performance is not indicative of future results.
placeholder
Short interest in SpaceX jumps to 13% from 8% in one sessionOrtex Technologies, an analytics business, reports that short sellers are increasing their bets that Elon Musk’s SpaceX would continue to decrease after the company’s share price dropped from the highs it attained soon after going public on June 12. The sale took place during a challenging period for the market as a whole. The Nasdaq...
Author  Cryptopolitan
Jun 25, Thu
Ortex Technologies, an analytics business, reports that short sellers are increasing their bets that Elon Musk’s SpaceX would continue to decrease after the company’s share price dropped from the highs it attained soon after going public on June 12. The sale took place during a challenging period for the market as a whole. The Nasdaq...
placeholder
XRP Price Prediction for July 2026: Can Buyers Finally Break the Downtrend?XRP (XRP) price trades near $1.05, caught between a year-long downtrend and a sudden burst of buying.July has historically rewarded XRP holders. This year the month arrives with on-chain accumulation
Author  Beincrypto
Jun 30, Tue
XRP (XRP) price trades near $1.05, caught between a year-long downtrend and a sudden burst of buying.July has historically rewarded XRP holders. This year the month arrives with on-chain accumulation
placeholder
KOSPI Drops Below 8,000, Triggers Yet Another 2026 Trading HaltThe KOSPI sank below 8,000 on July 2. The drop pushed the Korea Exchange (KRX) to activate a sell-side sidecar within minutes of the opening bell.The Korea Exchange suspended program trading on KOSPI-
Author  Beincrypto
5 hours ago
The KOSPI sank below 8,000 on July 2. The drop pushed the Korea Exchange (KRX) to activate a sell-side sidecar within minutes of the opening bell.The Korea Exchange suspended program trading on KOSPI-
placeholder
Elon Musk Sends SpaceX Shares Lower With Two-Word AI Device DenialElon Musk dismissed a Wall Street Journal report that SpaceX built a prototype AI device, calling it “utterly false”. SpaceX stock (SPCX) fell about 7% on Wednesday as investors weighed the conflictin
Author  Beincrypto
5 hours ago
Elon Musk dismissed a Wall Street Journal report that SpaceX built a prototype AI device, calling it “utterly false”. SpaceX stock (SPCX) fell about 7% on Wednesday as investors weighed the conflictin
placeholder
Nike Stock Hits a 12-Year Low as an Earnings Loophole Masks Weak SalesNike (NKE) stock slid about 1% on Wednesday, briefly trading at $40, its lowest level in about 12 years. The fall came despite an earnings beat, because most of the profit came from a one-time tariff
Author  Beincrypto
4 hours ago
Nike (NKE) stock slid about 1% on Wednesday, briefly trading at $40, its lowest level in about 12 years. The fall came despite an earnings beat, because most of the profit came from a one-time tariff
goTop
quote