Google vulnerability enables convincing phishing attack targeting crypto users

Source Cryptopolitan

Ethereum Name Service (ENS) lead developer Nick Johnson has alerted crypto users to a new form of phishing scam involving Google infrastructure. In a post on X, Johnson explained how scammers exploit a vulnerability in Google infrastructure.

According to Johnson, scammers can send valid mail informing users that a subpoena has been served on Google to surrender information to their Google account. This security alert, which looks completely real, asks the user to protest the subpoena or examine the case materials.

Google Vulnerability
Fake phishing email that appears to be from Google (Source: Nick Johnson)

He said:

“The first thing to note is that this is a valid, signed email – it really was sent from no-reply@google.com. It passes the DKIM signature check, and GMail displays it without any warnings – it even puts it in the same conversation as other, legitimate security alerts.”

Once users click on the link in the email, they have to sign the purported support page. However, the support portal has sites.google.com as its URL, a ploy to deceive users into thinking it is genuine. According to Johnson, this fake support page is likely a phishing site where scammers harvest users’ login credentials.

The ENS developer noted that the vulnerability will likely remain, especially since Google has refused to act on it. Therefore, it is important for users to be aware and protect themselves.

Scammers exploiting Google Sites to create fake support pages

Meanwhile, Johnson explained how bad actors created fake Google Support pages that looked real. According to him, sites.google.com is a legacy product from the tech giant that allows users to host their content on the Google.com subdomain.

He noted that the product allows scrips and embeds, which is how scammers are able to build credential harvesting sites on the Google subdomain and upload new ones whenever the Google team removes the older versions.

Johnson said:

“Google long ago realised that hosting public, user-specified content on google.com is a bad idea, but Google Sites has stuck around.”

However, he noted that the only solution to this problem is for Google to disable scrips and arbitrary embeds for its Google Sites, as this makes the product a powerful phishing tool for scammers.

Bug report to Google

Interestingly, the scammers are generating the fake security alert email by exploiting a bug in Gmail. In his analysis of the email, Johnson pointed to clues such as the email header showing it was sent by “privateemail.com”, the recipient being ‘me@blah,’ and the white space below the phishing message.

According to him, the scammers did this by creating a Google account for Me@domain. After that, they created a Google OAuth application using the text in the phishing email, whitespace, and “Google Legal Support” as the application name.

Once they had done this, they granted the OAuth app access to their ‘me@…’ Google account, allowing them to generate the Security Alert Message from Google to the me@email. They forwarded this security alert to all potential targets.

Since Google generated the original security alert email, it was signed with a valid DKIM key, bypassed all the security checks, and appeared as a legitimate message in the user’s inbox.

However, Johnson said he submitted a report about the bug to Google but the tech giant has decided not to address it. Instead, the Google security team closed the report, noting that the feature is “Working as Intended,” which means they did not consider it a bug.

Meanwhile, the report of phishing scammers exploiting Google vulnerabilities to steal users’ information highlights multiple threats facing crypto users. Only few days ago, security experts claimed that hackers are using InfoStealers malware to steal users credentials from Browsers.

Cryptopolitan Academy: Tired of market swings? Learn how DeFi can help you build steady passive income. Register Now

Disclaimer: For information purposes only. Past performance is not indicative of future results.
placeholder
Altcoins have the longest depression streak since 2022Altcoins are trading in one of the longest underperformance periods since 2020, similar to the 2022 bear market. 84% of altcoins are trading below their 200-day moving average.
Author  Cryptopolitan
21 hours ago
Altcoins are trading in one of the longest underperformance periods since 2020, similar to the 2022 bear market. 84% of altcoins are trading below their 200-day moving average.
placeholder
XRP Demand Builds On-Chain Even as Price Sinks to 19-Month LowXRP (XRP) is holding above the $1.00 support zone amid a broader downturn. Yet, on-chain activity is rising. New wallet, whale, and exchange-traded fund (ETF) activity suggest users are stepping in wh
Author  Beincrypto
21 hours ago
XRP (XRP) is holding above the $1.00 support zone amid a broader downturn. Yet, on-chain activity is rising. New wallet, whale, and exchange-traded fund (ETF) activity suggest users are stepping in wh
placeholder
What to Expect From Ethereum (ETH) in July 2026Ethereum (ETH) enters July 2026 trading near $1,570, close to multi-month lows, after recording its first run of three consecutive red quarterly candles in its history.On-chain data and price charts n
Author  Beincrypto
21 hours ago
Ethereum (ETH) enters July 2026 trading near $1,570, close to multi-month lows, after recording its first run of three consecutive red quarterly candles in its history.On-chain data and price charts n
placeholder
After China, OpenAI Chips Away at Nvidia: So Why is NVDA Stock Up?China just built a major AI model without Nvidia chips. Now OpenAI has found ways to run on far fewer of them, cutting inference costs by more than half. Even so, Nvidia stock rose.That is the puzzle.
Author  Beincrypto
21 hours ago
China just built a major AI model without Nvidia chips. Now OpenAI has found ways to run on far fewer of them, cutting inference costs by more than half. Even so, Nvidia stock rose.That is the puzzle.
placeholder
Honeywell Aerospace Stock Stumbles After Nasdaq DebutHoneywell Aerospace (HONA) has made a weak and volatile start on the Nasdaq, trailing the wider aerospace and defense sector despite a strong standalone business case.The stock began trading on June 2
Author  Beincrypto
21 hours ago
Honeywell Aerospace (HONA) has made a weak and volatile start on the Nasdaq, trailing the wider aerospace and defense sector despite a strong standalone business case.The stock began trading on June 2
goTop
quote