A sophisticated phishing campaign has been uncovered, in which hackers have successfully exploited Google’s infrastructure to send deceptive emails that appear to originate from a legitimate Google address, tricking users into revealing their login credentials. Recently, Nick Johnson, the lead developer of the Ethereum Name Service (ENS), exposed the attack, which involved emails sent from no-reply@google.com that passed DomainKeys Identified Mail (DKIM) authentication, thereby deceiving Gmail into treating them as genuine security alerts.
According to Johnson, who shared his findings on X (formerly Twitter), “These emails are valid, signed, and display no warnings in Gmail. They appear in the same thread as real Google security alerts, making them even more convincing.”
The emails claim to notify recipients of a subpoena related to unspecified content from their Google Account and prompt users to click a sites.google.com link to “examine the case materials” or “submit a protest.” This link redirects to a counterfeit Google Support page hosted on Google Sites, where users are asked to either “upload additional documents” or “view [the] case.” These buttons then redirect to a near-perfect replica of the Google Account sign-in page, designed to harvest user credentials.
Johnson noted that the only indication that it’s a phishing attack is that it’s hosted on ‘sites.google.com’ instead of ‘accounts.google.com’.
Johnson warned that the realistic design and subtle domain differences make the phishing attempt particularly dangerous. “These scams are designed to look as real as possible,” he said. “Users who don’t spot the slightly altered domain could risk identity theft or financial loss.”
Google’s response to hackers ‘misusing’ its infrastructure
Google confirmed the attack and stated that it has since closed the loophole that allowed the abuse. According to a Google spokesperson, “We’re aware of this class of targeted attack from this threat actor and have rolled out protections to shut down this avenue for abuse. We encourage users to adopt two-factor authentication and passkeys for stronger protection.” The company reiterated that it never asks for account credentials — including passwords, one-time codes (OTPs), or confirmation prompts — via email or phone. Google also advised users to verify the authenticity of any email by opening links manually in a separate browser window. As per Google’s privacy policy, legitimate government requests for account information are accompanied by advance notice—unless legally prohibited.
Cybersecurity experts’ safety tips for Gmail users
Cybersecurity experts caution that Gmail users, particularly those not using two-factor authentication or passkeys, are at heightened risk. While passwords alone can be compromised, passkeys—hardware-bound login credentials—offer significantly stronger resistance to phishing.
To avoid falling victim, users should be skeptical of emails that use vague greetings, urgent calls to action, or links requesting personal data.
Source Link
