What was described as “extremely complex phishing attack”, threatening subjects used an unusual approach that allowed fake emails through Google infrastructure and redirect reports to fake sites that collect their powers.
“The first thing to note is that this is a real, signed electronic message-he was really sent from no- reply@google.com,”-Nick Johnson, leading developer Ethereum (ENS), – Note In a series of posts on X.
“It undergoes a DKIM signature, and Gmail reflects it without any warnings – it even puts it in the same conversation as other, legitimate safety notifications.”
The e -mail has reported future law enforcement calls from a law enforcement agencies asking for an uncertain content that is present in their Google account and calls them to click on the sites. Google (.) COM URL to “explore the case file or take protests.”
Google URL reflects the Lookalike page, which provides a legitimate Google support page and includes buttons to “download additional documents” or “viewing”. By clicking on any of the parameters that sacrifices on the Google account account page, the only difference is that it is located on Google sites.
“Sites.Google.com is an outdated product before Google is safety; this allows users to post content on Google.com, and most importantly it supports arbitrary scenarios and encloses,” Johnson said.
“Obviously, this makes the creation of the credentials of the trivial site; they just have to be prepared to download new versions when the old men abuse Google’s abuse. This helps the attackers that there is no opportunity to report the abuse of sites from the site interface.”
A reasonable aspect of the attack is the fact that Message by email Has an “signed” title on “Uillars.Google” (.) Compite the fact that it has a “sent” title with a completely unrelated domain (“fwd-04-1.fwd.privateEEMAIL”).
Malicious activity was characterized as Attack DKIMwhere the attacker first creates Google account for a recently created domain (“I@
“Now they are providing their Oauth applications to them” Me@… “Google account,” Johnson said. “This creates a” Safety Alert “from Google, sent to his email” Me@… “. Since Google has created an email, it is signed with a valid DKIM key and passes all checks.
The attacker then continues to send the same message from the Outlook account, keeping the DKIM signature intact and forcing the message bypassing email filters, Easydmarc reports. Further message is resumed via custom simple mail transfer protocol (SMTP) Service called jellyfish and obtained by Namecheap Private Infrastructure, which facilitates the mail transfer to the Gmail target account.
“At this point, the e -mail reaches a victim’s mailbox similar to a valid Google message, and all authentication checks indicate that the passage of SPF, DKIM and DMARC,” EASYDMARC CEO Geasim Khuhanisians – Note.
“As they called their Google account” Me@”, Gmail shows that the message was sent to” Me “above and this is a shorthand that it uses when the message is addressed to your email – avoiding another indication that can send red flags,” Johnson said.
Turning to the comments, Google told The Hacker News that he had redeemed the corrections to stop the abuse, and emphasized that the company does not ask for account account, such as passwords or one -off passwords, nor directly calling users.
“We know about this class of purposeful attack by this actor threats, and they rolled out the defense to close this abuse avenue,” Google press said. “At the same time, we call on users to accept two -factor authentication and pace that provides strong protection against similar phishing campaigns.”
The disclosure of information occurs almost nine months after the Guardio Lab disclosed Currently, the erroneous power in the protection of e -mail safety sellers that use threatening subjects to send millions of messages that are deceived by various popular companies such as Best Buy, IBM, Nike and Walt Disney, as well as authentication measures.
It also coincides with the overexertion of phishing companies that use investment in scalable vector graphics (Svg)) Format to run HTML -Code, which, in turn, redirects users to the Microsoft login form or on a fake web pioneer, which is masked as Google Voice to attract them to their credentials.
Cyberski’s Russian Cyaspersky said that since the beginning of 2025 she noted more than 4,100 phishing sheets with SVG.
“Fisher are tirelessly studying new methods to bypass revealing,” Caspersorski – Note. “They change their tactics, sometimes using the redirection of users and exacerbation of the text, and at other times, experimenting with different attachment formats. The SVG format provides the ability to introduce HTML and JavaScript code into the attackers’ images.”
