1. Forum
  2. FidoNet
  3. CONSPRCY

  • Beware, hackers can appar

    From Mike Powell@1:2320/105 to All on Tuesday, April 22, 2025 08:57:00
    Beware, hackers can apparently now send phishing emails from no-reply@google.com

    Date:
    Mon, 21 Apr 2025 16:08:00 +0000

    Description:
    Researchers discover a rather elaborate scheme that looks authentic but it's still just phishing.

    FULL STORY

    Researchers have discovered a clever and elaborate phishing scheme that
    abused Googles services to trick people into giving away their credentials
    for the platform.

    Lead developer of the Ethereum Name Service, Nick Johnson, recently received
    an email that seemed to have come from no-reply@google.com. The email said
    that law enforcement subpoenaed Google for content found in his Google
    Account.

    He said that the email looked legitimate, and that it was very difficult to spot that its actually fake. He believes less technical users might very
    easily fall for the trick.

    DKIM signed

    Apparently, the crooks would first create a Google account for me@domain.
    Then, they would create a Google OAuth app, and put the entire phishing
    message (about the fake subpoena) in the name field.

    Then, they would grant themselves access to the email address in Google Workspace.

    Google would then send a notification email to the me@domain account, but
    since the phishing message was in the name field, it would cover the entire screen.

    Scrolling to the bottom of the email message would show clear signs that something was amiss, since at the bottom one could read about getting access
    to the me@domain email address.

    The final step is to forward the email to the victim. Since Google generated the email, it's signed with a valid DKIM key and passes all the checks,
    Johnson explained how the emails landed in peoples inbox and not in spam.

    The attack is called a DKIM replay phishing attack, since it leans on the
    fact that in Googles systems, DKIM checks only the message and the headers,
    not the envelope. Since the crooks first registered the me@domain address, Google will show it as if it was delivered to their email address.

    To hide their intentions even further, the crooks used sites.google.com to create the credential-harvesting landing page. This is Googles free web-building platform and should always raise red flags when spotted.

    Via BleepingComputer

    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/beware-hackers-can-apparently-now-send- phishing-emails-from-no-reply-google-com

    $$
    --- SBBSecho 3.20-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)