The founder and senior developer of the Ethereum Name Service warned his X -Follower about an “extremely sophisticated” phishing attack, who pretended to be Google and tempt users to publish login information.
The phishing attack uses Google's infrastructure to send a fake alarm to users by informing them that their Google data is shared as a result of a summons with the law enforcement authorities, Nick Johnson said in a contribution from April 16 to X.
“There is the DKIM -Signature check and Google Mail shows it without warnings -it even puts it in the identical conversation as other, legitimate security warnings,” he said.
The fake summons seem to return from a Google no-repry domain. Source: Nick Johnson
As a part of the attack, users are offered the potential of displaying the case materials or protest by clicking on a support sides -link, which in response to Johnson uses a tool with which a web site could be created on a Google SubDomain.
“From there you’ll likely harvest your login information and use to compromise your account. I didn't go any further to ascertain,” he said.
The name of Google Domain makes the e -mail appear legitimate, but Johnson points out that there are still clear signs that it’s a phishing fraud -as it’s forwarded from a personal e -mail address.
Fraudsters use Google Systems
In a report dated April 11, the software company Easydmarc explained that the phishing fraud was working through weapons from Google website.
Anyone with a Google account can create a web site that appears legitimate and is hosted under a trustworthy Google domain.
You also use the Google Oauth app, during which the important thing trick is you could insert every thing you wish within the App-Name field in Google, and use a website via name-ceap you could use to output “no-reply@Google account as from the address and the reply address could be”.
“Finally, they forward the message to their victims. Because DKIM only checks the message and her header and never the envelope, the message hands over the signature validation and shows as legitimate message within the user's inbox – also in the identical thread as legitimal security warnings,” said Johnson.
Google will soon prepare countermeasures
In an interview with CoinTelegraph, a Google spokesman said that they’re aware of the issue and the mechanism with which the attacker inserts the “any length text”, inserting the mechanism that can prevent the attack method from working in the longer term.
“We are aware of this class of the targeted attack by the threat actor, rockfoils, and have introduced protective measures last week. These protective measures will soon be fully used, which implies that this possibility is closed for abuse,” said the speaker.
“In the meantime, we encourage users to take over two-factor authentication and passkeys who offer strong protection against such phishing campaigns.”
The spokesman added that Google won’t ever ask for personal account registration information-in one thing-one in a single person, one-off passwords or push notifications or upper users.
