Source: The Hacker News Author: [email protected] (The Hacker News) URL: https://thehackernews.com/2025/04/phishers-exploit-google-sites-and-dkim.html
ONE SENTENCE SUMMARY:
Attackers executed a sophisticated phishing attack utilizing Google’s infrastructure and DKIM replay techniques, successfully bypassing security checks to harvest user credentials.
MAIN POINTS:
- Attackers leveraged Google’s legitimate email infrastructure for phishing, bypassing typical security alerts.
- Phishing emails appeared authentic, passing DKIM, SPF, and DMARC authentication checks.
- Victims received fake subpoenas directing them to malicious sites hosted on Google Sites.
- Fraudulent websites mimicked Google Support, tricking users into inputting credentials.
- Attackers exploited legacy Google Sites’ support of arbitrary scripts to host phishing content.
- Emails appeared to originate from “accounts.google.com,” despite originating elsewhere.
- DKIM replay attack used Google’s OAuth application process to generate genuine-looking security alerts.
- Gmail displayed messages as addressed to “me,” adding authenticity and reducing suspicion.
- Google has implemented fixes to prevent this abuse pathway and advised adopting two-factor authentication.
- Phishing attacks increasingly exploit SVG attachments to embed malicious HTML and JavaScript.
TAKEAWAYS:
- Legitimate infrastructures like Google can be exploited for sophisticated phishing attacks.
- DKIM signatures alone cannot guarantee email authenticity; vigilance remains essential.
- Legacy services supporting arbitrary scripts pose significant security risks.
- Enabling two-factor authentication and passkeys provides critical protection against phishing threats.
- Always scrutinize unexpected security alerts, even if they appear authentic and trustworthy.