Imagine getting an email that informs you Google has obtained a subpoena to disclose the contents of your account. The email appears entirely credible and has a sender’s address that looks legitimate: [email protected]. It’s understandably unsettling (or perhaps even panic-inducing), right?
What an unfortunate coincidence — the email includes a link to a Google support page with all the information about the situation. The domain name in the link also seems authentic and appears to be associated with Google…
Regular followers of our blog might already suspect we’re addressing a new phishing scheme. And they would be correct. This time, the fraudsters are taking advantage of several real Google services to deceive their victims and make the emails appear as convincing as possible. Here’s how the process works…
How the phishing email imitates an official notification from Google
The screenshot below displays the email that initiates the attack; it convincingly pretends to be a warning from Google’s security system. The message notifies the user that the company has received a subpoena demanding access to the data in their Google account.
The “from” field lists a genuine Google address: [email protected]. This is the same address from which Google’s security notifications are sent. The email also includes details that enhance the illusion of legitimacy: a Google Account ID, a support ticket number, and a link to the case. Most importantly, the email informs the recipient that they can click a link to learn more about the case materials or dispute the subpoena.
The link itself seems highly plausible as well. The address includes the official Google domain and the previously mentioned support ticket number. It takes a discerning user to notice the subtle catch: while Google support pages are found at support.google.com, this link redirects to sites.google.com instead. The scammers undoubtedly rely on users who either lack technical knowledge or fail to notice the word change.
If the user isn’t logged in, clicking the link directs them to a legitimate Google account login page. After logging in, they arrive at a page on sites.google.com, which closely resembles the official Google support site.
Coincidentally, the sites.google.com domain is part of the legitimate Google Sites service. Launched in 2008, it’s a fairly basic website builder — nothing too unusual. The critical detail about Google Sites is that any website created on the platform is automatically hosted on a google.com subdomain: sites.google.com.
Attackers can leverage such an address to both lower victims’ vigilance and bypass various security measures, as both users and security systems tend to trust the Google domain. It is no surprise that scammers have increasingly utilized Google Sites to build phishing pages.
Reconstructing the attack one step at a time
To understand how the scammers were able to send such an email and what their objectives were, cybersecurity researchers recreated the attack. Their investigation uncovered that the attackers registered the (now-revoked) googl-mail-smtp-out-198-142-125-38-prod[.]net domain using Namecheap.
Subsequently, they employed the same service again to establish a free email account on this domain: me[@]googl-mail-smtp-out-198-142-125-38-prod[.]net. Additionally, the criminals registered a free trial version of Google Workspace on the same domain. Following this, they registered their own web application within the Google OAuth system and granted it access to their Google Workspace account.
Google OAuth is a technology that permits third-party web applications to utilize Google account data to authenticate users with their consent. You may have encountered Google OAuth when using it to authenticate with third-party services: it’s the method you use whenever you click a “Sign in with Google” button. Besides user authentication, applications can also utilize Google OAuth to obtain permissions to save files to your Google Drive, for example.
Let’s return to the scammers. Once a Google OAuth application is registered, the service allows notifications to be sent to the email address linked to the verified domain. Interestingly, the administrator of the web application can manually input any text as the “App name,” which appears to be what the fraudsters took advantage of.
How to safeguard yourself against phishing attacks like this one
It’s not entirely clear what the attackers aimed to achieve with this phishing scheme. Utilizing Google OAuth for authentication does not mean that the victim’s Google account credentials are shared with the perpetrators. This process produces a token that grants limited access to the user’s account data—depending on the permissions authorized and the configurations set by the scammers.
The fabricated Google Support page that the fooled user encounters implied that the goal was to persuade them to download some “legal documents” allegedly related to their case. The specifics of these documents are unknown, but it is likely they included malicious code.
The researchers reported this phishing effort to Google. The company recognized this as a potential hazard for users and is actively working to address the OAuth vulnerability. However, the duration needed to fix the issue remains uncertain.
In the meantime, here are some suggestions to help you avoid falling victim to this and other complex phishing tactics.
- Remain composed if you receive an email like this. Start by thoroughly inspecting all the email header details and comparing them to legitimate emails from Google—you probably have some in your inbox. If you notice any inconsistencies, don’t hesitate to click “Delete.”
- Be cautious of websites on the google.com domain created with Google Sites. Recently, fraudsters have increasingly been utilizing it for various phishing schemes.
- As a rule of thumb, refrain from clicking links in emails.
- Employ a reliable security solution that will provide prompt alerts about threats and block phishing links.
Leave a Reply