Developer Nick Johnson shared on the social network X (formerly Twitter) a rather disturbing experience: he received a security email supposedly from Google, warning that a "subpoena has been issued to Google LLC to access the contents of his account." The email appeared authentic in every way: sent by "[emailprotected]", signed digitally via DKIM, and classified by Gmail among the official alerts.
A trapped email passes Google filters
The link offered in the message redirected to a site hosted by sites.google.com, a legitimate Google service. But it was a fake support page, perfectly imitating Google interfaces. The trap closes when you click on "view file" or "add documents", redirecting to a fake login page - still hosted on sites.google.com - designed to steal credentials.
What makes this attack particularly vicious is that it bypasses security filters that are supposed to block this type of content. The explanation is technical: the hackers registered a domain, created a Google account linked to this domain, then configured an OAuth application with a name identical to the content of the fraudulent message. Result: a legitimate alert email is generated by Google itself, and redirected to the victims.
The case revealed by Nick Johnson is not isolated. According to Adrianus Warmenhoven, a cybersecurity expert at NordVPN, "turnkey" phishing kits are available for around twenty euros on dark web forums. They include cloned site templates, data collection scripts, and even email generators and targeted contact lists. Google, Facebook, and Microsoft are the most impersonated brands.
Faced with the growing sophistication of these scams, authentication using DKIM, SPF, and DMARC is showing its limits. As James Shank of the company Expel, "A DKIM-validated message is not necessarily safe." Validation only indicates that the message comes from an authorized domain—not that it's harmless.
Google has since announced measures to address this specific flaw. The company recommends enabling two-factor authentication (2FA) and using passkeys to enhance security. "We will deploy new protections that will block this method," a spokesperson promised.
But the damage is done: this case demonstrates that even the most secure email systems are not infallible. Remaining vigilant, checking URLs, and never blindly trusting an email, even one from Google, have become essential reflexes.
0 Comments