Google vulnerability enables convincing phishing attack targeting crypto users

Source Cryptopolitan

Ethereum Name Service (ENS) lead developer Nick Johnson has alerted crypto users to a new form of phishing scam involving Google infrastructure. In a post on X, Johnson explained how scammers exploit a vulnerability in Google infrastructure.

According to Johnson, scammers can send valid mail informing users that a subpoena has been served on Google to surrender information to their Google account. This security alert, which looks completely real, asks the user to protest the subpoena or examine the case materials.

Google Vulnerability
Fake phishing email that appears to be from Google (Source: Nick Johnson)

He said:

“The first thing to note is that this is a valid, signed email – it really was sent from no-reply@google.com. It passes the DKIM signature check, and GMail displays it without any warnings – it even puts it in the same conversation as other, legitimate security alerts.”

Once users click on the link in the email, they have to sign the purported support page. However, the support portal has sites.google.com as its URL, a ploy to deceive users into thinking it is genuine. According to Johnson, this fake support page is likely a phishing site where scammers harvest users’ login credentials.

The ENS developer noted that the vulnerability will likely remain, especially since Google has refused to act on it. Therefore, it is important for users to be aware and protect themselves.

Scammers exploiting Google Sites to create fake support pages

Meanwhile, Johnson explained how bad actors created fake Google Support pages that looked real. According to him, sites.google.com is a legacy product from the tech giant that allows users to host their content on the Google.com subdomain.

He noted that the product allows scrips and embeds, which is how scammers are able to build credential harvesting sites on the Google subdomain and upload new ones whenever the Google team removes the older versions.

Johnson said:

“Google long ago realised that hosting public, user-specified content on google.com is a bad idea, but Google Sites has stuck around.”

However, he noted that the only solution to this problem is for Google to disable scrips and arbitrary embeds for its Google Sites, as this makes the product a powerful phishing tool for scammers.

Bug report to Google

Interestingly, the scammers are generating the fake security alert email by exploiting a bug in Gmail. In his analysis of the email, Johnson pointed to clues such as the email header showing it was sent by “privateemail.com”, the recipient being ‘me@blah,’ and the white space below the phishing message.

According to him, the scammers did this by creating a Google account for Me@domain. After that, they created a Google OAuth application using the text in the phishing email, whitespace, and “Google Legal Support” as the application name.

Once they had done this, they granted the OAuth app access to their ‘me@…’ Google account, allowing them to generate the Security Alert Message from Google to the me@email. They forwarded this security alert to all potential targets.

Since Google generated the original security alert email, it was signed with a valid DKIM key, bypassed all the security checks, and appeared as a legitimate message in the user’s inbox.

However, Johnson said he submitted a report about the bug to Google but the tech giant has decided not to address it. Instead, the Google security team closed the report, noting that the feature is “Working as Intended,” which means they did not consider it a bug.

Meanwhile, the report of phishing scammers exploiting Google vulnerabilities to steal users’ information highlights multiple threats facing crypto users. Only few days ago, security experts claimed that hackers are using InfoStealers malware to steal users credentials from Browsers.

Cryptopolitan Academy: Tired of market swings? Learn how DeFi can help you build steady passive income. Register Now

Disclaimer: For information purposes only. Past performance is not indicative of future results.
placeholder
Silver spikes up to $36.50 with markets turning cautiousSilver (XAG/USD) is extending its rebound from Monday’s lows at $35.40 to intra-day highs at $36.50.
Author  FXStreet
10 hours ago
Silver (XAG/USD) is extending its rebound from Monday’s lows at $35.40 to intra-day highs at $36.50.
placeholder
EUR/GBP keeps the red above mid-0.8500s after Eurozone inflation dataThe EUR/GBP cross retreats from the vicinity of the 0.8600 mark, or its highest level since April 23 touched earlier this Tuesday and sticks to modest intraday gains through the first half of the European session.
Author  FXStreet
10 hours ago
The EUR/GBP cross retreats from the vicinity of the 0.8600 mark, or its highest level since April 23 touched earlier this Tuesday and sticks to modest intraday gains through the first half of the European session.
placeholder
Dollar Endures Worst Half in Decades: What's Next for 2025?The dollar experienced its weakest first half in more than 50 years, hurt by geopolitical tensions and former President Donald Trump's trade policies.
Author  Insights
10 hours ago
The dollar experienced its weakest first half in more than 50 years, hurt by geopolitical tensions and former President Donald Trump's trade policies.
placeholder
XRP, ETH Traders Getting Greedy? Funding Rates Highest Among Top CoinsData shows XRP and Ethereum top the Funding Rate charts among the major cryptocurrencies, a sign of growing demand for long positions.
Author  Bitcoinist
10 hours ago
Data shows XRP and Ethereum top the Funding Rate charts among the major cryptocurrencies, a sign of growing demand for long positions.
placeholder
Bitcoin Price Forecast: BTC slips below $107,000 even as exchange reserves hit 6-year low Bitcoin (BTC) slips below $107,000 at the time of writing on Tuesday, continuing a mild pullback from the previous day.
Author  FXStreet
11 hours ago
Bitcoin (BTC) slips below $107,000 at the time of writing on Tuesday, continuing a mild pullback from the previous day.
goTop
quote