Phishers abuse Google OAuth to spoof Google in DKIM replay attack

In a rather clever attack, hackers leveraged a weakness that allowed them to send a fake email that seemed delivered from Google’s systems, passing all verifications but pointing to a fraudulent page that collected logins. The attacker leveraged Google’s infrastructure to trick recipients into accessing a legitimate-looking “support portal” that asks for Google account credentials. The fraudulent message appeared to come from “[email protected]” and passed the DomainKeys Identified Mail (DKIM) authentication method but the real sender was different. Fake email with Google's DKIM stamp Nick Johnson, the lead developer of the Ethereum Name Service (ENS), received a security alert that seemed to be from Google, informing him of a subpoena from a law enforcement authority asking for his Google Account content. Almost everything looked legitimate and Google even placed it with other legitimate security alerts, which would likely trick less technical users that don’t know where to loo ... Read full article.