Cybersecurity experts are raising alarms about a new phishing scheme that is particularly deceptive. This attack mimics legitimate Gmail communications, making it hard for users to tell the difference between real and fake messages. Nick Johnson, a developer at Ethereum Name Service, recently shared details about this sophisticated scam on social media.
Johnson revealed that he was targeted by a phishing attack disguised as an official request from law enforcement. The email claimed a subpoena had been issued to Google, seeking information from the recipient’s account. The message urged users to click on links to review case materials or submit protests, which would lead them to a fake sign-in page designed to capture their credentials.
What makes this scam particularly troubling is that it appears to come from an official Google domain. The email was sent from a no-reply address and was even grouped with legitimate security alerts, making it easy for users to overlook its suspicious nature. The phishing emails also linked to a convincing support portal, further enhancing their credibility.
Johnson pointed out that the attackers exploited two vulnerabilities in Google’s infrastructure. One of these issues involves Google Sites, which allows anyone to create content on a google.com subdomain. This makes it simple for cybercriminals to host fake login pages that look legitimate. Johnson criticized Google for not addressing these vulnerabilities, suggesting that the issue will likely persist as attackers can quickly create new phishing sites if old ones are taken down.
To help users identify these scams, Johnson shared some warning signs. For instance, the email header may look official, but it could be sent from a different domain. Additionally, users should be wary of unusual email addresses and excessive whitespace in the message body.
In response to these attacks, Google stated they are aware of this type of phishing and have implemented measures to combat it. They also recommend that users enable two-factor authentication and use passkeys for added security.
As phishing attacks grow more advanced, it’s crucial for users to remain vigilant and skeptical of unsolicited emails, even when they appear to come from trusted sources.