Google vulnerability enables convincing phishing attack targeting crypto users

Ethereum Name Service (ENS) lead developer Nick Johnson has alerted crypto users to a new form of phishing scam involving Google infrastructure. In a post on X, Johnson explained how scammers exploit a vulnerability in Google infrastructure.

According to Johnson, scammers can send valid mail informing users that a subpoena has been served on Google to surrender information to their Google account. This security alert, which looks completely real, asks the user to protest the subpoena or examine the case materials.

He said:

“The first thing to note is that this is a valid, signed email – it really was sent from no-reply@google.com. It passes the DKIM signature check, and GMail displays it without any warnings – it even puts it in the same conversation as other, legitimate security alerts.”

Once users click on the link in the email, they have to sign the purported support page. However, the support portal has sites.google.com as its URL, a ploy to deceive users into thinking it is genuine. According to Johnson, this fake support page is likely a phishing site where scammers harvest users’ login credentials.

The ENS developer noted that the vulnerability will likely remain, especially since Google has refused to act on it. Therefore, it is important for users to be aware and protect themselves.

Scammers exploiting Google Sites to create fake support pages

Meanwhile, Johnson explained how bad actors created fake Google Support pages that looked real. According to him, sites.google.com is a legacy product from the tech giant that allows users to host their content on the Google.com subdomain.

He noted that the product allows scrips and embeds, which is how scammers are able to build credential harvesting sites on the Google subdomain and upload new ones whenever the Google team removes the older versions.

Johnson said:

“Google long ago realised that hosting public, user-specified content on google.com is a bad idea, but Google Sites has stuck around.”

However, he noted that the only solution to this problem is for Google to disable scrips and arbitrary embeds for its Google Sites, as this makes the product a powerful phishing tool for scammers.

Bug report to Google

Interestingly, the scammers are generating the fake security alert email by exploiting a bug in Gmail. In his analysis of the email, Johnson pointed to clues such as the email header showing it was sent by “privateemail.com”, the recipient being ‘me@blah,’ and the white space below the phishing message.

According to him, the scammers did this by creating a Google account for Me@domain. After that, they created a Google OAuth application using the text in the phishing email, whitespace, and “Google Legal Support” as the application name.

Once they had done this, they granted the OAuth app access to their ‘me@…’ Google account, allowing them to generate the Security Alert Message from Google to the me@email. They forwarded this security alert to all potential targets.

Since Google generated the original security alert email, it was signed with a valid DKIM key, bypassed all the security checks, and appeared as a legitimate message in the user’s inbox.

However, Johnson said he submitted a report about the bug to Google but the tech giant has decided not to address it. Instead, the Google security team closed the report, noting that the feature is “Working as Intended,” which means they did not consider it a bug.

Meanwhile, the report of phishing scammers exploiting Google vulnerabilities to steal users’ information highlights multiple threats facing crypto users. Only few days ago, security experts claimed that hackers are using InfoStealers malware to steal users credentials from Browsers.

Cryptopolitan Academy: Tired of market swings? Learn how DeFi can help you build steady passive income. Register Now