Scammers Masquerade as Google in Sophisticated Phishing Campaign

Criminals are spoofing an official Google address to send highly convincing rogue emails in a cunning phishing scam.

New sophisticated phishing scam spotted

A novel phishing scam that leverages fake emails sent from a spoofed Google address has emerged. The malicious campaign is so carefully designed that security experts worry people may be tricked by the emails’ perceived legitimacy.

The attack involves threat actors sending rogue emails that appear to originate from an official Google address (i.e., no-reply[@]google[.]com). The email’s body includes a seemingly official subpoena requesting urgent information from the recipient’s Google account.

Signed, sealed, delivered by Google

The dangers associated with this new campaign stem from the scam’s sophistication. Threat actors devised a way to spoof Google’s address, bypass email security mechanisms, and make it appear as if the messages were signed and delivered by Google. And, in a sense, they were.

According to Nick Johnson, lead developer of the Ethereum Name Service (ENS), who was targeted by the scam, Google even placed the fraudulent email along with other security alerts.

Reportedly, attackers employed a DKIM replay phishing attack, using a Google-generated email without altering its DomainKeys Identified Mail (DKIM) signature. They then relayed the rogue email while keeping the signature elements intact, making the email impervious to DKIM verification mechanisms so it looks legitimate.

Insights into the fraudulent email messages

The email’s body consisted of an urgent law enforcement subpoena asking for the recipient’s “Google Account content,” a reference number, and a Google Account ID number.

These elements, combined with the fact that the email lacked sloppy grammar and other immediate giveaways of a scam, elevate the high risk this new campaign poses, especially to the untrained eye.

Rogue emails had a minor giveaway

The email also included a “Google Support Case” section, where the threat actor appended a link. The link also seemed legitimate, as it was hosted on a Google domain.

Accessing the link would take the recipient to a fake support portal, allegedly a near-exact duplicate of the legitimate service.

However, the fact that the attacker used a sites-google[.]com link aroused suspicion, as official Google links don’t use the service’s free web-building platform, especially for urgent notifications.

The fake support portal is suspected to be a sophisticated phishing page, as it required a username and password from visitors.

Google’s response and mitigation

Upon discovering the malicious campaign, Johnson submitted a bug report to Google. The company initially responded that the process was functioning as intended and refused to take action.

Google then reevaluated its stance, acknowledging the OAuth flaw as a user risk and taking steps to address the vulnerability.

Keeping safe against phishing scams and other intrusions

Specialized software like Bitdefender Ultimate Security can give you the upper hand against cybercriminals who exploit every possible angle to compromise your security.

It boasts email protection features and anti-phishing modules that constantly monitor your inbox and steer you clear of websites that masquerade as trustworthy to steal your data or funds.

Key features include real-time data protection against viruses, Trojans, worms, zero-day exploits, ransomware, spyware, and other threats, web attack prevention, behavioral detection for active apps, and AI-powered scam detection.