Prime Highlights
- Google OAuth and DKIM verification are being exploited by cybercriminals to send convincing phishing emails claiming to be sent from Google.
- The emails drive victims to lookalike spoofed portals running on Google infrastructure to harvest login credentials.
Key Facts
- Legitimate DKIM headers are used to sign emails, evading conventional security checks.
- Attackers use legitimate Google domains such as sites.google.com to host mock support pages.
- The attack is based on abusing Google’s auto-notification and manipulative handling of email headers.
Key Background
A fresh and extremely misleading phishing campaign has surfaced wherein attackers are abusing Google’s email infrastructure, i.e., OAuth and DomainKeys Identified Mail (DKIM), to send harmful emails that mimic appearing to originate from “no-reply@google.com.” Phishing emails get through DKIM authentication, which is a main system employed by email providers to ensure that messages have not been tampered with during transit and are from authorized sources. Because the emails are cleared of these filters, they have a higher chance of landing in a recipient’s inbox and avoiding spam filters.
The attackers leverage the features of Google. They create Google accounts with the email alias “me@<evil-domain>.com” and set up OAuth applications whose names are similar to threatening messages, such as simulated legal notices. As the app is permitted to have access to the email account, Google generates automatically a security alert. This alert—authentically generated and signed by Google—is forwarded to the target victim. Since Google signed the message, it gets through DKIM verification and is presented as a legitimate alert from Google.
To make the fraud even more convincing, the phishing links that are part of these warnings are being hosted on authentic Google domains such as sites.google.com. These redirect the users to spurious support pages that exactly resemble Google’s authentic login websites. The only hint pointing towards the scam is the domain not being accounts.google.com, which most users can easily miss.
This is called a DKIM replay attack. It exploits email forwarding and OAuth mechanisms such that the end message appears entirely legitimate but has malicious intent. The envelope sender is never validated by DKIM—only headers and content are—which makes this bypass possible.
This is not the first case. The same methods were allegedly applied in phishing attacks against standard PayPal users some time ago this year. The attack highlights the level of sophistication of phishing attacks nowadays and the importance of higher vigilance on the part of users.
Experts suggest activating two-factor authentication, checking email headers for inconsistencies, and being careful regarding any unusual security warnings.
