Beware of this sneaky Google phishing scam

Attackers are sending phishing emails that appear to be from “no-reply@google.com,” presented as an urgent subpoena alert about “law enforcement” seeking information from the target’s Google Account. Bleeping Computer reports that the scam utilizes Google’s “Sites” web-building app to create realistic-looking phishing websites and emails that aim to intimidate victims into giving up their credentials.

As explained by EasyDMARC, an email authentication company, the emails manage to bypass the DomainKeys Identified Mail (DKIM) authentication that would normally flag fake emails, because they came from Google’s own tool. The scammers simply entered the full text of the email as the name of their fake app, which autofills that text into an email sent by Google to their own chosen address.

Gmail Security Communications spokesperson Ross Richendrfer sent over this statement from Google in response, saying, “We’re aware of this class of targeted attack from this threat actor, and have rolled out protections to shut down this avenue for abuse. In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns.”

When forwarded from the scammer to a user’s Gmail inbox, it remains signed and valid since DKIM only checks the message and headers. PayPal users were similarly targeted using the DKIM relay attack last month. Finally, it links to a real-looking support portal on sites.google.com instead of accounts.google.com, hoping the recipient won’t catch on.

Etherem Name Service developer Nick Johnson received the same Google phishing scam and reported the attackers’ misuse of Google OAuth applications as a security bug to Google. The company initially brushed it off as “working as intended,” but then backtracked and is now working on a fix.

Update, April 21st: Added statement from Google.