Exploit in Google’s Systems Facilitates Highly Effective Crypto Phishing Scams

A newly discovered vulnerability within Google’s infrastructure has been exploited by malicious actors to orchestrate sophisticated phishing campaigns specifically targeting cryptocurrency users. This security flaw allows attackers to create deceptive interfaces that closely mimic legitimate platforms, significantly increasing the success rate of credential theft and asset diversion. Cybersecurity experts warn that this method represents an escalation in social engineering tactics, as it leverages trusted digital environments to bypass conventional user caution. The incident underscores the critical need for enhanced verification protocols and user education in the rapidly evolving landscape of crypto-related cyber threats.

He said:

“The first thing to note is that this is a valid, signed email – it really was sent from [email protected]. It passes the DKIM signature check, and GMail displays it without any warnings – it even puts it in the same conversation as other, legitimate security alerts.”

Once users click on the link in the email, they have to sign the purported support page. However, the support portal has sites.google.com as its URL, a ploy to deceive users into thinking it is genuine. According to Johnson, this fake support page is likely a phishing site where scammers harvest users’ login credentials.

The ENS developer noted that the vulnerability will likely remain, especially since Google has refused to act on it. Therefore, it is important for users to be aware and protect themselves.

Scammers exploiting Google Sites to create fake support pages

Meanwhile, Johnson explained how bad actors created fake Google Support pages that looked real. According to him, sites.google.com is a legacy product from the tech giant that allows users to host their content on the Google.com subdomain.

He noted that the product allows scrips and embeds, which is how scammers are able to build credential harvesting sites on the Google subdomain and upload new ones whenever the Google team removes the older versions.

Johnson said:

“Google long ago realised that hosting public, user-specified content on google.com is a bad idea, but Google Sites has stuck around.”

However, he noted that the only solution to this problem is for Google to disable scrips and arbitrary embeds for its Google Sites, as this makes the product a powerful phishing tool for scammers.

Bug report to Google

Interestingly, the scammers are generating the fake security alert email by exploiting a bug in Gmail. In his analysis of the email, Johnson pointed to clues such as the email header showing it was sent by “privateemail.com”, the recipient being ‘me@blah,’ and the white space below the phishing message.

According to him, the scammers did this by creating a Google account for Me@domain. After that, they created a Google OAuth application using the text in the phishing email, whitespace, and “Google Legal Support” as the application name.

Once they had done this, they granted the OAuth app access to their ‘me@…’ Google account, allowing them to generate the Security Alert Message from Google to the me@email. They forwarded this security alert to all potential targets.

Since Google generated the original security alert email, it was signed with a valid DKIM key, bypassed all the security checks, and appeared as a legitimate message in the user’s inbox.

However, Johnson said he submitted a report about the bug to Google but the tech giant has decided not to address it. Instead, the Google security team closed the report, noting that the feature is “Working as Intended,” which means they did not consider it a bug.

Meanwhile, the report of phishing scammers exploiting Google vulnerabilities to steal users’ information highlights multiple threats facing crypto users. Only few days ago, security experts claimed that hackers are using InfoStealers malware to steal users credentials from Browsers.

Cryptopolitan Academy: Tired of market swings? Learn how DeFi can help you build steady passive income. Register Now