Latest news with #DomainKeysIdentifiedMail
Hamilton Spectator
05-05-2025
- Business
- Hamilton Spectator
Billions of Gmail users at risk with new phishing scam — here's how to spot it
An eerily convincing phishing message has been making the rounds in recent weeks, bypassing Google's security protections and is putting up to 1.8 billion Gmail users at risk. First highlighted on X by Nick Johnson, founder and chief developer of Ethereum Name Services (ENS), the phishing attack starts off with a message sent from a no-reply@google [.]com address with the email heading 'Security Alert.' Recently I was targeted by an extremely sophisticated phishing attack, and I want to highlight it here. It exploits a vulnerability in Google's infrastructure, and given their refusal to fix it, we're likely to see it a lot more. Here's the email I got: It bypasses Google's DKIM (DomainKeys Identified Mail), a security feature that normally detects email spoofing. Gmail also 'displays it without any warnings,' Johnson said in the post. 'It even puts (the fake subpoena warning) in the same conversation as other, legitimate security alerts,' he added. The message itself claims that a subpoena has been served which orders Google to produce a copy of the target's Google account content. 'This notice is to alert you that a subpoena was issued to Google LLC by a law enforcement that seeks retrieval of information contained in your Google Account,' the message reads. It includes a supposed reference number and a link to the person's 'Google Support Case.' 'The Sites link takes you to a very convincing 'support portal' page,' Johnson said adding that scammers have 'cleverly used because they know people see the domain is and assume it's legit,' he explained. The Sites link takes you to a very convincing "support portal" page. They've cleverly used because they know people will see the domain is and assume it's legit. Clicking 'Upload additional documents' or 'View case' takes the user to a sign-in page that looks like an exact duplicate of the real Google page. 'The only hint it's a phish is that it's hosted on instead of ,' Johnson explained. From there, the target's login credentials are harvested and used to compromise their account. Google Sites ( is a legitimate Google website and page creation tool that allows anyone to build public-facing sites and host content on a page that will show a subdomain in the URL above the page. Not all pages are malicious but attackers targeting Google users sometimes use Google Sites to create and host phishing websites since the sub domain in the URL makes it look legitimate and trustworthy to most users. Making the email appear as if its from a legitimate no-reply@google [.]com address is more complicated though, Johnson said. Attackers typically start by creating a Google account for 'me@domain' and triggering Google to send them a security alert that they then forward to their victims. In a statement sent to Newsweek , a representative from Google said the company is currently in the process of rolling out security updates to address the issue and advises users to avoid giving out credentials without first confirming that the site is legitimate. Users can check the details of the email sender by clicking the small triangle icon beside the 'to me' section on top of the email as shown below. Click this inverted triangle icon beside the 'to me' field to see the sender's details. Pay attention to the 'mailed-by' section in the sender's details. 'Although it was signed by , it was emailed by privateemail[.]com,' Johnson said in the post. Comparison of sender details between a real Google Security Alert email (left) and a subpoena phishing email (right) showing privateemail[.]com, a non google subdomain. Other red flags are the use of in the URL, which indicates the page was made using Google's free web page creation tool, and weird formatting like the use of many white spaces right after the phishing message, according to Johnson.
Epoch Times
23-04-2025
- Epoch Times
Google Responds to Report of Sophisticated Gmail Phishing Attack
Google on April 22 said it is aware of reports of a phishing scam targeting Gmail account holders and has rolled out a fix. Earlier this month, a software developer and researcher wrote that he received a security alert email that purported to be from Google that informed him that a 'subpoena was served on Google LLC requiring us to produce a copy of your Google Account content,' adding later that the user could look into the details to 'submit a protest.' 'Recently I was targeted by an extremely sophisticated phishing attack, and I want to highlight it here. It exploits a vulnerability in Google's infrastructure, and given their refusal to fix it, we're likely to see it a lot more. Here's the email I got,' the developer, Nick Johnson, The email was sent from the ' 'It passes the DKIM signature check, and GMail displays it without any warnings—it even puts it in the same conversation as other, legitimate security alerts,' he said. DKIM is an acronym for DomainKeys Identified Mail, an email authentication protocol that uses digital signatures to verify whether an email is legitimate, according to Google's website. Related Stories 4/23/2025 4/22/2025 The only suggestion that it is a phishing attack, where attackers try to appear as a legitimate entity to dupe a victim into revealing sensitive or personal information, is 'that it's hosted on instead of Johnson wrote in an X thread. Another sign it's a phishing attempt, he A spokesperson for Google told The Epoch Times on Tuesday that the company has 'rolled out fixes to stop this abuse pathway,' responding to questions about Johnson's claims. 'We've shut down the mechanism that attackers are using to insert arbitrary length text, which will prevent this method of attack from working,' the company said. 'We're aware of this class of targeted attack from this threat actor, and have rolled out protections to shut down this avenue for abuse. In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns,' a separate company spokesperson said in statement. Google also won't 'ask for any of your account credentials—including your password, one-time passwords, confirm push notifications, etc.—and Google will not call you,' the spokesperson added. Google A separate Google 'We won't give notice when legally prohibited under the terms of the request. We'll provide notice after a legal prohibition is lifted, such as when a statutory or court-ordered gag period has expired,' the company says, adding it may 'not give notice in the case of emergencies, such as threats to a child's safety or threats to someone's life, in which case we'll provide notice if we learn that the emergency has passed.'
Time of India
23-04-2025
- Time of India
Billions of Gmail users at Risk: Developer shares email that he says 'exploits vulnerability in Google's infrastructure'; Google responds
In a highly sophisticated phishing campaign, hackers are said to have successfully exploited Google's infrastructure to send deceptive emails that appear to come from a legitimate address to trick users into handing over their login credentials. Tired of too many ads? go ad free now The attack, brought to light recently by Nick Johnson, lead developer of the Ethereum Name Service (ENS), involved emails sent from no-reply@ that passed DomainKeys Identified Mail (DKIM) authentication -- fooling Gmail into treating them as authentic security alerts. 'These emails are valid, signed, and display no warnings in Gmail,' Johnson said on X (formerly Twitter). 'They appear in the same thread as real Google security alerts, making them even more convincing.' The emails claim to notify recipients of a subpoena involving unspecified content from their Google Account and prompt users to click a link to 'examine the case materials' or 'submit a protest.' The link leads to a counterfeit Google Support page hosted on Google Sites, where users are asked to either 'upload additional documents' or 'view [the] case.' These buttons redirect to a near-perfect replica of the Google Account sign-in page—designed to harvest user credentials. 'The only hint it's a phishing attack is that it's hosted on ' instead of ' Johnson noted. Johnson warned that the realistic design and subtle domain differences make the phishing attempt especially dangerous. 'These scams are designed to look as real as possible,' he said. 'Users who don't spot the slightly altered domain could risk identity theft or financial loss.' Google on hackers 'misusing' its infrastructure Google confirmed the attack and stated it has since closed the loophole that allowed the abuse. Tired of too many ads? go ad free now 'We're aware of this class of targeted attack from this threat actor and have rolled out protections to shut down this avenue for abuse,' a Google spokesperson told The Hacker News. 'We encourage users to adopt two-factor authentication and passkeys for stronger protection.' The company reiterated that it never asks for account credentials -- including passwords, one-time codes (OTPs), or confirmation prompts -- via email or phone. Google also advised users to verify the authenticity of any email by opening links manually in a separate browser window. According to Google's privacy policy, legitimate government requests for account information are accompanied by advance notice—unless legally prohibited. Cybersecurity experts' safety tips for Gmail users Cybersecurity experts caution Gmail users, particularly those not using two-factor authentication or passkeys, are at heightened risk. While passwords alone can be compromised, passkeys—hardware-bound login credentials—offer significantly stronger resistance to phishing. To avoid falling victim, users should be skeptical of emails that use vague greetings, urgent calls to action, or links requesting personal data.
Time of India
22-04-2025
- Time of India
Is my Gmail account hacked? Google ‘warns' 3 billion users of security risk; check how to recover phished account
More than 3 billion Gmail users are potentially at risk as a major phishing campaign has tricked victims through imitation of Google 's security alerts. The new attack, which employs OAuth apps and a DomainKeys Identified Mail (DKIM) bypass, has made fake emails appear authentic. Google confirmed the issue and is deploying updated protections. A spokesperson from the tech giant said that the new safety features will shut down the avenue for abuse once fully in place. Gmail account hacked? You have seven days to act According to a Forbes report, if a Gmail account has been compromised and the attacker has changed password and recovery methods, the legitimate user still has seven days to reverse them. Reportedly, the recovery can be done via original recovery phone number or email—if they were previously set up. by Taboola by Taboola Sponsored Links Sponsored Links Promoted Links Promoted Links You May Like Join new Free to Play WWII MMO War Thunder War Thunder Play Now Undo Google's Ross Richendrfer was quoted in the Forbes report stating that users can always enable phishing-resistant technologies like passkeys and security keys. He also urged the users to keep their recovery information updated at regular intervals. Also Read : NFL Draft 2025: Date, time, schedule, live streaming, Round 1 order and other details Live Events Why passkeys are the future Reportedly, the tech giant has issued a stern warning against relying solely on passwords or SMS-based two-factor authentication. Both these systems—the firm said—are now vulnerable to increasingly sophisticated attacks. Google urged the users to adopt passkeys, which are tied to their device and require biometric or PIN verification. It added that passkeys make unauthorised access significantly more difficult. Gmail attack sparks panic Google was alarmed when Ethereum developer Nick Johnson received a realistic legal notice from 'no-reply@ ID. The email had a valid DKIM signature and mimicked an official Google alert. It, according to the media reports, turned out that attackers had exploited a loophole. They sent genuine emails to themselves and forwarded them to victims to phish credentials. Premium users can access live human support As per the reports, users who are subscribed to Google One's premium service can access live human support. This includes call-backs and chat options for account recovery . Human support could significantly speed up regaining access following a cyberattack. Also Read : Pope Francis funeral: Donald Trump to Emmanuel Macron, these world leaders set to attend ceremony Quick tips to secure your Gmail account Use a passkey associated with your device Utilize either Google Authenticator or Google Prompts, instead of SMS Add and routinely update your recovery phone number and Email Avoid clicking any links in unexpected emails about security alerts Google will never contact users directly about account security FAQs Q: What can I do if someone hacks into my Gmail account? You need to respond as soon as possible. Utilize your recovery phone number or email—if not yet modified by the attacker—to begin account recovery within seven days. Q: How do passkeys enhance Gmail security? Passkeys are also associated with your own device and need biometric or PIN authentication. They are not easy to phish or reusable like passwords, so they are significantly more secure.
Forbes
22-04-2025
- Forbes
Gmail Attack Update — Google Tells 3 Billion Users: Do This Next
Google issues four-step response to Gmail hack attacks. Unless you have been living in a cave, and one without an internet connection, then you will probably be aware that Gmail has come under attack from sophisticated hackers bypassing Google's own email security protections. Thankfully, Google's Gmail spokesperson, Ross Richendrfer, has assured me that the technology giant is 'aware of this class of targeted attack from this threat actor,' and has 'rolled out protections to shut down this avenue for abuse.' This new Gmail security update is welcome news for all. Richendrfer urged me to convey to my readers that Google will never ask for any of your account credentials, including Gmail account passwords, one-time 2FA passwords or to confirm push notifications. As well as that Gmail update, Google has shared a four-step response plan for anyone who finds themselves on the wrong end of a Gmail attack. The short version is that an email sent from a no-reply@ address claiming that a subpoena had been served requiring Google to produce a copy of the account content managed to bypass strict sender validation protections put in place to protect Gmail users. Of course, it was a phishing scam. But it was a very sophisticated one that ticked all the boxes as far as leveraging trust and getting victims to follow instructions is concerned. The email stated that the subpoena details could be examined or measures taken to file a protest by going to the included Google support pages. So, to recap: the email was validated and signed by Google itself and sent from a Google domain. Furthermore, by passing strict DomainKeys Identified Mail authentication checks that Gmail employs, the fake alert ended up being dropped into the same conversation as genuine security alerts from Google in Gmail. Google has now shut down the mechanism that the attackers used, involving the insertion of arbitrary-length text, to prevent this kind of DKIM attack from working in the future. In conversation with Gmail's Richendrfer, my attention was alerted to 'recently shared detailed guidance on spotting and avoiding email scams' published by Google. This includes a four-step response to anyone who thinks they may have fallen victim to the latest Gmail attack or any such scam. Google also has an interactive phishing quiz to see how well you might be able to identify a Gmail attack or other social engineering campaign targeting your Google services.
