Google security alerts used in new Gmail hack.
Protecting your accounts and data is getting harder and more complex, despite the best efforts of security defenders. In the same week that we have seen details of Microsoft introducing strict new email authentication rules on May 5 to protect 500 million Outlook users, and the FBI warning that hackers impersonating the FBI have struck, so both these stories merge as Google confirms that Gmail users are under attack from hackers bypassing its own email authentication protections and leveraging trust in Google infrastructure to launch a dangerous and costly threat. Here’s what you need to know and do.
Beware This Gmail Security Alert — No Matter How Real It Appears
Wouldn’t it be great if account security were straightforward and easy to accomplish? When you get an email from Google, a security alert no less, that passes Google’s own email authentication protections, you’d think it was trustworthy, right? Wrong, very wrong indeed, at least for now.
An April 16 posting on the X social media platform, first alerted us to the threat that exploits trust in Google’s own protections and platforms to execute a sophisticated hack attack. That post explained how the user, a software developer called Nick Johnson, had received a security alert email from Google informing them that a “subpoena was served on Google LLC requiring us to produce a copy of your Google Account content.” The emails went on to state that Johnson could examine the details or “take measures to submit a protest,” by following the included link to a Google support page. OK, so it’s a phishing email, nothing unusual about that, right? Wrong again. Not only did this threat come in an email that was validated and signed by Google itself, it was sent from a “[email protected].” address, and passed the strict DomainKeys Identified Mail authentication checks that Gmail employs, it was sorted by Gmail into “the same conversation as other, legitimate security alerts,” Johnson said.
This legitimacy is continued if you were to follow the link to the Google support page, a nefarious clone, of course, but one that is hosted on sites.google.com. Get as far as wanting to look at the documentation or upload a protest and, once again, the Google account credentials page is a perfect clone and hosted at sites.google.com which adds the trust of the google.com domain. You’d have to be pretty clued up to notice it wasn’t the genuine accounts.google.com where such logins actually happen.
If you fall into the trap, you can wave access to your Google account goodbye, and the hackers will say hello to your Gmail account and all the data that it contains.
Google Promises To Shut Down Gmail Attack With New Update
The good news is that Google has said that it is rolling out protections to counter the specific attacks from the threat actor concerned. “These protections will soon be fully deployed,” a spokesperson said, “which will shut down this avenue for abuse.” In the meantime, Google advised users to enable 2FA protections and switch to using passkeys for Gmail to provide “strong protection against these kinds of phishing campaigns.”
Explaining that the attack email leveraged an OAuth application combined with a creative DKIM workaround to bypass the types of safeguards meant to protect against this exact type of phishing attempt, Melissa Bischoping, head of security research at Tanium, warned that “while some components of this attack are new – and have been addressed by Google – attacks leveraging trusted business services and utilities are not one-off or novel incidents.”
Moving forward, Gmail users should still be alert to the danger of genuine-looking emails and alerts that purport to be from legitimate sources, even if that source is Google itself.
