Cybercriminals have discovered a way to send phishing emails that appear to come directly from Google by exploiting a flaw involving OAuth and DKIM authentication.
The attack, described as a DKIM replay phishing method, uses a legitimate Google-signed message to trick users into visiting a fake “support portal” hosted on Google Sites and entering their credentials.
Ethereum Name Service developer Nick Johnson exposed the tactic after receiving a realistic-looking alert claiming legal action against his Google account.
The key trick lies in registering a domain and creating a Google account like me@domain, then crafting an OAuth app whose name mimics a full phishing message, tricking Google into generating a signed email.
Since DKIM only verifies headers and the message body — not the actual sending address — the email appears fully authentic.
This technique has also been used to spoof PayPal emails, using similar manipulation of legitimate system-generated alerts.
While Google initially dismissed the issue, it later acknowledged the risk and is working on a fix. The case highlights how legitimate infrastructure can be abused to bypass security measures and deceive users.
Read more...