One of the oldest signs of a scam email is an incorrect domain. However, as BleepingComputer detailed, threat actors recently spoofed google.com email addresses by exploiting OAuth, which is the open standard that allows websites or applications to connect to Google services without the users having to share information such as their Gmail passwords.
As of April 20, Google confirmed it is aware of the vulnerability and is working on a fix.
The fake emails mimicked legal subpoenas from Google
The OAuth scam was reported by Nick Johnson, a developer with a company offering a blockchain naming service. According to Johnson, the attacker first created a domain and an associated email address with a Google account, using the format [email protected]. Then, they made a Google OAuth app and named it using the full content of the phishing email — in Johnson’s case, an alert about a subpoena.
When the attacker granted access to the OAth account to a Google email address, the address would receive the fake subpoena notification.
A closer look revealed the email originated from sites.google.com, not accounts.google.com. It displayed [email protected] as the sender address, which added credibility. That real address was a convincing touch because the attacker hid the phishing email within the app’s name, bypassing what Google’s own security scans cover: the message and the headers.
SEE: Apple has patched two serious security flaws that were exploited on iPhones and other devices.
Because of this tactic, the phishing email passed the DKIM signature check, a protocol that verifies whether the sender of an email is legitimate.
Using me@ as the address meant the message would appear to have been sent directly to one person, rather than being emailed to a group of potential victims.
If a victim clicked on the fake security alert, they would be directed to the sites.google.com page, where attackers could attempt to harvest the victim’s email credentials.
Johnson speculated Google Sites itself posed a security risk. “IMO they need to disable scripts and arbitrary embeds in Sites; this is too powerful a phishing vector,” he wrote.
Other misuses of Google OAuth
In January, Truffle Security found that an attacker could purchase a defunct startup domain and re-create employee email addresses through it. With the zombie email addresses, they could access HR systems and potentially uncover employees’ financial information, among other potential misuses.
In March, a threat actor used OAuth to create fake alerts from PayPal. This was a double-layered scam taking advantage of the way PayPal lets users add a new email address to their account. The attackers sent messages informing users of a new address and a fake $1,000 charge. If the victim contacted the fake PayPal support number included in the email, they would be mired further into the scammer’s ecosystem.
