Ethical Hacking News
Phishers have abused Google OAuth to spoof Google's systems, using a technique called DKIM replay phishing attack to trick recipients into accessing legitimate-looking support portals that asked for Google account credentials. This attack has been similar to one targeting PayPal users in March and highlights the importance of vigilance in detecting phishing attempts.
Hackers exploited a weakness in Google's systems to send fake emails that seemed delivered from Google's systems. The attack utilized the DKIM replay phishing technique, where the fake email was signed with a valid DKIM key and passed signature validation. The attacker created a Google OAuth app and used its name in the phishing message to grant access to their email address in Google Workspace. The attack aimed to trick recipients into accessing a legitimate-looking support portal that collected logins. Google later acknowledged the vulnerability and is working to fix the OAuth weakness.
Recently, a sophisticated phishing attack was discovered where hackers abused Google OAuth to spoof Google's systems and trick recipients into accessing a legitimate-looking support portal that asked for Google account credentials. The attacker leveraged a weakness in Google's systems to send fake emails that seemed delivered from Google's systems, passing all verifications but pointing to a fraudulent page that collected logins.
The email appeared to come from "no-reply@google.com" and passed the DomainKeys Identified Mail (DKIM) authentication method but the real sender was different. This attack utilized a technique called DKIM replay phishing attack where the fake email is signed with a valid DKIM key and passes signature validation, making it appear legitimate in the recipient's inbox.
The attack worked by exploiting a weakness in Google's systems that only checks the message and headers without the envelope. The attacker created a Google OAuth app and used its name in the phishing message to grant access to their email address in Google Workspace, which then automatically sent a security alert to that inbox. This security alert was then forwarded to victims, making it seem like it came from Google itself.
This attack is similar to one targeted PayPal users in March, where fraudulent messages originated from PayPal's mail servers and passed DKIM security checks using the same technique. In this case, the attacker used the "gift address" option to link a new email to their PayPal account, pasting the phishing message into the second field.
The attack was first discovered by Nick Johnson, the lead developer of the Ethereum Name Service (ENS), who received a security alert that seemed to be from Google, informing him of a subpoena from a law enforcement authority asking for his Google Account content. Almost everything looked legitimate and Google even placed it with other legitimate security alerts, which would likely trick less technical users.
However, Johnson's keen eye spotted that the fake support portal in the email was hosted on sites.google.com - Google's free web-building platform, which raised suspicion. The developer believes that the purpose of the fraudulent site was to collect credentials to compromise the recipient's account.
The developer put the clues together and discovered the fraudster's tricks. "First, they register a domain and create a Google account for me@domain'. The domain isn't that important but it helps if [sic] looks like some kind of infra. The choice of 'me' for the username is clever," Johnson explains.
The attacker then created a Google OAuth app and used its name in the phishing message to grant access to their email address in Google Workspace, which then automatically sent a security alert to that inbox. "Since Google generated the email, it's signed with a valid DKIM key and passes all the checks," Johnson says, adding that the last step was to forward the security alert to victims.
Google later reconsidered the issue, recognizing it as a risk to its users, and is currently working to fix the OAuth weakness. The company's initial reply was that the process was working as intended, but they have since acknowledged the vulnerability and are taking steps to address it.
This attack highlights the importance of vigilance in detecting phishing attempts, especially those that appear to come from trusted sources like Google. It also emphasizes the need for continuous security monitoring and updates to protect against emerging threats.
In conclusion, this sophisticated phishing attack showcases the creativity and cunning of cybercriminals, who are continually finding new ways to exploit vulnerabilities in popular services. As Google continues to work on addressing the OAuth weakness, it is essential for users to remain vigilant and take steps to protect themselves from such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Phishers-Abuse-Google-OAuth-to-Spoof-Google-in-DKIM-Replay-Attack-ehn.shtml
https://www.bleepingcomputer.com/news/security/phishers-abuse-google-oauth-to-spoof-google-in-dkim-replay-attack/
https://easydmarc.com/blog/google-spoofed-via-dkim-replay-attack-a-technical-breakdown/
Published: Mon Apr 21 09:36:24 2025 by llama3.2 3B Q4_K_M
