ENS founder warns of Google spoof that tricks users with a fake subpoena

The founder and lead developer of Ethereum Name Service has warned his X followers of an “extremely sophisticated” phishing attack that can impersonate Google and trick users into giving out login credentials. 

The phishing attack exploits Google’s infrastructure to send a fake alert to users informing them that their Google data is being shared with law enforcement due to a subpoena, ENS’ Nick Johnson said in an April 16 post to X. 

“It passes the DKIM signature check, and GMail displays it without any warnings - it even puts it in the same conversation as other, legitimate security alerts,” he said. 

As part of the attack, users are offered the chance to view the case materials or protest by clicking a support page link, which uses Google Sites, a tool that can be used to build a website on a Google subdomain, according to Johnson. 

“From there, presumably, they harvest your login credentials and use them to compromise your account; I haven’t gone further to check,” he said.

The Google domain name makes the email appear legitimate, but Johnson points out there are still clear signs it’s a phishing scam — such as it being forwarded from a private email address.

In an April 11 report, software firm EasyDMARC explained that the phishing scam works by weaponizing Google Sites.

Anyone with a Google account can create a site that looks legitimate and is hosted under a trusted Google-owned domain.

They also use the Google OAuth app, where the “key trick is that you can put anything you want in the App Name field in Google,” and use a domain via Namecheap that allows them to “put no-reply@google account as From address and the reply address can be anything.”

“Finally, they forward the message to their victims. Because DKIM only verifies the message and its headers and not the envelope, the message passes signature validation and shows up as a legitimate message in the user’s inbox — even in the same thread as legit security alerts,” Johnson said. 

Speaking to Cointelegraph, a Google spokesperson said they are aware of the issue and are shutting down the mechanism that attackers are using to insert the “arbitrary length text,” which will prevent the method of attack from working in the future. 

Related: Hackers hide crypto address-swapping malware in Microsoft Office add-in bundles

“We’re aware of this class of targeted attack from the threat actor, Rockfoils, and have been rolling out protections for the past week. These protections will soon be fully deployed, which will shut down this avenue for abuse,” the spokesperson said. 

The spokesperson added that Google will never ask for any private account credentials — including passwords, one-time passwords or push notifications, nor call users.  

Magazine: Your AI ‘digital twin’ can take meetings and comfort your loved ones