Nick Johnson, a New Zealand developer known for founding and leading the development of the Ethereum Name Service (ENS), a decentralized naming system running on the Ethereum blockchain, was the target of a sophisticated Gmail scam. The developer recounted his misadventure at length on his X account.
The attack, which he describes as "extremely sophisticated", begins with the receipt of an email referring to a subpoena. The email claims that the court has ordered Google to release all your account information to the authorities as part of an investigation. This motive is intended to arouse the curiosity of Internet users and arouse their concern.
To lull their targets' suspicions, cybercriminals exploit "a vulnerability in Google's infrastructure". On the surface, the email was indeed sent from an official company address, namely [emailprotected]. In fact, the email did not trigger Gmail's security mechanisms or spam filters. The email service did not display any warnings on the email, which encouraged the user to believe it was an official communication.
Furthermore, the email passed DKIM (DomainKeys Identified Mail), a security system used to verify that an email was indeed sent from the domain it claims to be, and that it was not modified during sending. Worse, the email was mixed up with other legitimate emails received by the user. How were hackers able to send a scam through a Google email address?
A Google platform exploited by hackers
In fact, the hackers will use the free platformsites.google.com. Launched by Google in 2008, it allows you to easily create websites without coding knowledge, through a simple and intuitive interface. Using this platform, the hackers developed a fake website imitating Google's. Then they register a domain and create a Google account, which they used to send the phishing email.
The only clue that "this is phishing is that it's hosted on http://sites.google.com instead of http://accounts.google.com," says Nick Johnson, adding that sites.google.com is "a legacy product from before Google took security seriously." Too basic, the platform gradually fell into oblivion. Although still online, it is no longer adapted to the demands of the modern web.
The attacker then created a fake Google app, as if it were a real service, with OAuth, Google's implementation of the open OAuth standard. He used the entire phishing message as the app name, so that the authorization request appeared official. When the victim saw the access request, they thought it was a genuine legal message from Google. Google allows developers to create OAuth apps, which request access to certain user data. This trick helped to reinforce the attack's credibility. Alerted by Nick Johnson, Google has committed to fixing the OAuth bug.
Convinced that the email really comes from Google, the target will give it credence. To learn more about this strange legal summons, they will do what the email suggests. That is, click on a link in the email. This will open a fake Google login page on the website created with sites.google.com.Once there, the user will want to "Download additional documents" or "View the case" in question. To do this, they will have to provide their login details, usernames, and passwords to the hackers. This is where the trap closes. With the login details, hackers can attempt to take control of your Google account.
This isn't the first time that Google tools have been hijacked by cybercriminals. For example, some hackers use g.co, an official Google shortened domain, to propagate their malicious websites by making them appear as official sites.
Best Practices to Adopt
To protect your Google Account, we recommend you exercise caution if you receive unsolicited documents or messages on Gmail. Above all, take the time to enable two-factor authentication, which will prevent hackers who have obtained your credentials from compromising your account. Additionally, choose a recovery phone number and email address so you can recover your Google Account in the event of a hack.
0 Comments