{"id":53392,"date":"2025-05-13T09:22:41","date_gmt":"2025-05-13T13:22:41","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=53392"},"modified":"2025-05-13T09:22:41","modified_gmt":"2025-05-13T13:22:41","slug":"dkim-replay-attack-through-google-oauth","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/dkim-replay-attack-through-google-oauth\/53392\/","title":{"rendered":"Email from Google: law enforcement is looking into your account"},"content":{"rendered":"

Imagine receiving an email that says Google has received a subpoena to release the contents of your account. The email looks perfectly \u201cGoogley\u201d, and the sender\u2019s address appears legitimate too: no-reply@accounts.google.com<\/em><\/strong>. A little unnerving (or maybe panic-inducing?) to say the least, right?<\/p>\n

And what luck \u2014 the email contains a link to a Google support page that has all the details about what\u2019s happening. The domain name in the link looks legit, too, and seems to belong to Google\u2026<\/p>\n

Regular readers of our blog have probably already guessed that we\u2019re talking here about a new phishing scheme<\/a>. And they\u2019d be right. This time, the scammers are exploiting several genuine Google services to fool their victims and make the emails look as convincing as possible. Here\u2019s how it works\u2026<\/p>\n

How phishing email mimics an official Google notification<\/h2>\n

The screenshot below shows the email that kicks off the attack; and it does a really credible job of pretending to be an alert from Google\u2019s security system. The message informs the user that the company has received a subpoena requesting access to the data in their Google account.<\/p>\n

<\/a><\/p>\n

The \u201cfrom<\/strong>\u201d field contains a genuine Google address: no-reply@accounts.google.com<\/em><\/strong>. This is the exact same address Google\u2019s security notifications come from. The email also contains a few details that reinforce the illusion of authenticity: a Google Account ID, a support ticket number, and a link to the case. And, most importantly, the email tells the recipient that if they want to learn more about the case materials or contest the subpoena, they can do so by clicking a link.<\/p>\n

The link itself looks quite plausible, too. The address includes the official Google domain and the support ticket number mentioned above. And it takes a savvy user to spot the catch: Google support pages are located at support.google.com<\/em><\/strong>, but this link leads to sites.google.com<\/em><\/strong> instead. The scammers are, of course, counting on users who either don\u2019t understand such technicalities or don\u2019t notice the word substitution.<\/p>\n

If the user isn\u2019t logged in, clicking the link takes them to a genuine Google account login page. After authorizing, they land on a page at sites.google.com<\/em><\/strong>, which quite convincingly mimics the official Google support site.<\/p>\n

\"Fake<\/a>

This is what a fake Google Support page linked in the email looks like. Source<\/a><\/p><\/div>\n

Now, it just so happens that the sites.google.com<\/em><\/strong> domain belongs to the legitimate Google Sites service<\/a>. Launched back in 2008, it\u2019s a fairly unsophisticated website builder \u2014 nothing out of the ordinary. The important nuance about Google Sites is that all websites created within the platform are automatically hosted on a google.com<\/em> subdomain: sites.google.com<\/em><\/strong>.<\/p>\n

Attackers can use such an address to both lull victims\u2019 vigilance and circumvent various security systems, as both users and security solutions tend to trust the Google domain. It\u2019s little wonder that scammers have increasingly been using Google Sites to create phishing pages<\/a>.<\/p>\n

Spotting fakes: the devil\u2019s in the (email) details<\/h2>\n

We\u2019ve already described the first sign of a dodgy email: the address of the fake support page located at sites.google.com<\/em><\/strong>.<\/em> Look to the email header for more red flags:<\/p>\n

Phishing disguised as an official Google email: note the \"to\" and \"mailed-by\" fields<\/a>

Spot the fake: look at the \u201cto\u201d and \u201cmailed-by\u201d fields in the header. Source<\/a><\/p><\/div>\n

The fields to pay attention to are \u201cfrom<\/strong>\u201c, \u201cto<\/strong>\u201c, and \u201cmailed-by<\/strong>\u201c. The \u201cfrom<\/strong>\u201d one seems fine: the sender is the official Google email, no-reply@accounts.google.com<\/em><\/strong>.<\/p>\n

But lo and behold, the \u201cto\u201d<\/strong> field just below it reveals the actual recipient address, and this one sure looks phishy: me[@]googl-mail-smtp-out-198-142-125-38-prod[.]net<\/em><\/strong>. The address is trying hard to imitate some technical Google address, but the typo in the company domain name is a dead giveaway. Moreover, it has absolutely no business being there \u2014 this field is supposed to contain the recipient\u2019s email.<\/p>\n

As we keep examining the header, another suspicious address pops up in the \u201cmailed-by<\/strong>\u201d field. Now, this one is clearly nowhere near Google territory: fwd-04-1.fwd.privateemail[.]com<\/strong>. Yet again, nonsense like this has no place in an authentic email. For reference, here\u2019s what these fields look like in a real Google security alert:<\/p>\n

\"Genuine<\/a>

The \u201cto\u201d and \u201cmailed-by\u201d fields in a genuine Google security alert<\/p><\/div>\n

Unsurprisingly, these subtle signs would likely be lost on the average user \u2014 especially when they\u2019re already freaked out by the looming legal trouble. Adding to the confusion is the fact that the fake email is actually signed by Google: the \u201csigned-by<\/strong>\u201d field shows accounts.google.com<\/em><\/strong>. In the next part of this post, we explain how the criminals managed to achieve this, and then we\u2019ll talk about how to avoid becoming a victim.<\/p>\n

Reconstructing the attack step by step<\/h2>\n

To figure out exactly how the scammers managed to send such an email and what they were after, cybersecurity researchers reenacted the attack<\/a>. Their investigation revealed that the attackers used Namecheap to register the (now-revoked) googl-mail-smtp-out-198-142-125-38-prod[.]net<\/em><\/strong> domain.<\/p>\n

Next, they used the same service again to set up a free email account on this domain: me[@]googl-mail-smtp-out-198-142-125-38-prod[.]net<\/strong>. In addition, the criminals registered a free trial version of Google Workspace on the same domain. After that the scammers registered their own web application in the Google OAuth system, and granted it access to their Google Workspace account.<\/p>\n

Google OAuth is a technology that allows third-party web applications to use Google account data to authenticate users<\/a> with their permission. You\u2019ve likely encountered Google OAuth as a way to authenticate for third-party services: it\u2019s the system you use every time you click a \u201cSign in with Google\u201d button. Besides that, applications can use Google OAuth to obtain permission to, for example, save files to your Google Drive.<\/p>\n

But let\u2019s get back to our scammers. After a Google OAuth application is registered, the service allows sending a notification to the email address associated with the verified domain. Interestingly enough, the administrator of the web application is free to manually enter any text as the \u201cApp name\u201d \u2014 which seems to be what the criminals exploited.<\/p>\n

In the screenshot below, researchers demonstrate this by registering an app with the name \u201cAny Phishing Email Text Inject Here with phishing URLs\u2026\u201d.<\/p>\n

\"Google<\/a>

Registering a web app with an arbitrary name in Google OAuth: the text of a scam email with a phishing link can be entered as a name. Source<\/a><\/p><\/div>\n

Google then sends a security alert containing this phishing text from its official address. This email goes to the scammers\u2019 email address on the domain registered through Namecheap. This service allows forwarding the received notification from Google to any addresses. All they need do is set a specific forwarding rule and specify the email addresses of potential victims.<\/p>\n

\"How<\/a>

Setting up a forwarding rule that allows sending the fake email to multiple recipients. Source<\/a><\/p><\/div>\n

How to protect yourself from phishing attacks like this one<\/h2>\n

It\u2019s not entirely clear what the attackers were hoping to achieve with this phishing campaign. Using Google OAuth to authenticate doesn\u2019t mean the victim\u2019s Google account credentials are shared with the scammers. The process generates a token that only provides limited access to the user\u2019s account data \u2014 depending on the permissions the user authorized and the settings configured by the scammers.<\/p>\n

The fake Google Support page the deceived user lands on suggested that the goal was to convince them to download some \u201clegal documents\u201d supposedly related to their case. The nature of these documents is unknown, but chances are they contained malicious code.<\/p>\n

The researchers reported this phishing campaign to Google. The company acknowledged this as a potential risk<\/a> for users and is currently working on a fix for the OAuth vulnerability. However, how long it will take to resolve the issue remains unknown.<\/p>\n

In the meantime, here\u2019s some advice to help you avoid becoming a victim of this and other intricate phishing schemes.<\/p>\n