Attackers are sending phishing emails that appear to be from “[email protected],” presented as an urgent subpoena alert about “law enforcement” seeking information from the target’s Google Account. Bleeping Computer reports that the scam utilizes Google’s “Sites” web-building app to create realistic-looking phishing websites and emails that aim to intimidate victims into giving up their credentials.
As explained by EasyDMARC, an email authentication company, the emails manage to bypass the DomainKeys Identified Mail (DKIM) authentication that would normally flag fake emails, because they came from Google’s own tool. The scammers simply entered the full text of the email as the name of their fake app, which autofills that text into an email sent by Google to their own chosen address.
When forwarded from the scammer to a user’s Gmail inbox, it remains signed and valid since DKIM only checks the message and headers. PayPal users were similarly targeted using the DKIM relay attack last month. Finally, it links to a real-looking support portal on sites.google.com instead of accounts.google.com, hoping the recipient won’t catch on.
Etherem Name Service developer Nick Johnson received the same Google phishing scam and reported the attackers’ misuse of Google OAuth applications as a security bug to Google. The company initially brushed it off as “working as intended,” but then backtracked and is now working on a fix.
