In a recent and highly sophisticated phishing campaign, cybercriminals have employed an unconventional method to dispatch fraudulent emails through Google’s infrastructure. These emails direct recipients to deceptive websites designed to harvest sensitive credentials.
Nick Johnson, the lead developer of the Ethereum Name Service (ENS), highlighted the intricacy of this attack. He noted that the emails in question are legitimate and signed, originating from [email protected]. These messages successfully pass DKIM (DomainKeys Identified Mail) signature checks, leading Gmail to display them without any warnings. Consequently, they appear in the same conversation threads as genuine security alerts, making them particularly deceptive.
The content of these emails informs recipients of a subpoena from a law enforcement authority, alleging the presence of unspecified content in their Google Account. The message urges users to click on a provided Google Sites URL to examine the case materials or take measures to submit a protest.
Upon clicking the link, users are directed to a counterfeit page that closely mimics the legitimate Google Support page. This page presents options such as upload additional documents or view case. Selecting either option leads the victim to a replica of the Google Account sign-in page, which, crucially, is hosted on Google Sites.
Johnson elaborated on the vulnerabilities exploited in this attack. He pointed out that Google Sites, a legacy product predating Google’s enhanced security measures, allows users to host content on a google.com subdomain. Importantly, it supports arbitrary scripts and embeds, making it relatively straightforward for attackers to create credential-harvesting sites. Additionally, the absence of a direct abuse reporting mechanism within the Sites interface complicates efforts to mitigate such malicious activities.
A particularly cunning aspect of this phishing scheme is the manipulation of email headers. The Signed by header is set to accounts.google.com, lending an air of authenticity, while the Mailed by header references an unrelated domain, fwd-04-1.fwd.privateemail.com.
This attack is identified as a DKIM replay attack. The process involves the attacker creating a Google Account associated with a newly registered domain (e.g., me@
The attacker grants their OAuth app access to their me@… Google account, triggering a Security Alert email from Google to this address. Since Google generates this email, it carries a valid DKIM signature and passes all authentication checks.
Subsequently, the attacker forwards this message from an Outlook account, preserving the DKIM signature. This tactic allows the email to bypass traditional email security filters. The message is then relayed through a custom Simple Mail Transfer Protocol (SMTP) service called Jellyfish and received by Namecheap’s PrivateEmail infrastructure, which facilitates mail forwarding to the targeted Gmail account.
At this stage, the email arrives in the victim’s inbox appearing as a legitimate message from Google, with all authentication checks—SPF, DKIM, and DMARC—showing as passed. Johnson also noted that by naming their Google account me@, Gmail displays the message as sent to me, which is the shorthand it uses when a message is addressed to the user’s email address. This subtle manipulation helps avoid raising red flags for the recipient.
This incident underscores the evolving sophistication of phishing attacks and the importance of continuous vigilance and advanced security measures to protect against such threats.
