Google has confirmed to Newsweek that it is responding to a new type of phishing attack after reports of the scam went viral.
The attack, which uses the Google Sites feature to fake legitimate domain names, appears able to bypass Gmail’s DKIM signature check, which filters for scams and suspicious mail.
Why It Matters
With 1.8 billion user accounts across the world, Gmail is one of the most important email providers active today, and any breach to its security could have huge ramifications for millions of people. Phishing attacks often attempt to get people to share personal information, like Social Security numbers, which enables criminals to access finances.
What To Know
Reports of the attack first emerged when cryptocurrency influencer Nick Johnson posted a thread on X, formerly Twitter, outlining the scam.
“The first thing to note is that this is a valid, signed email—it really was sent from no-reply@google.com,” Johnson wrote.
“It passes the DKIM signature check, and Gmail displays it without any warnings—it even puts it in the same conversation as other, legitimate security alerts.”
“The site’s link takes you to a very convincing ‘support portal’ page. They’ve cleverly used http://sites.google.com because they know people will see the domain is http://google.com and assume it’s legit.”
Getty Images
Google’s DKIM signature check normally filters emails from a suspicious origin to a spam folder, but because the attack uses a domain generated by Google Sites, the check sees the origin as legitimate, placing the email in inboxes like other alerts.
In a statement to Newsweek, Google confirmed that it was aware of the attack and was taking steps to ensure it was properly dealt with.
A spokesperson for Google said: “We’re aware of this class of targeted attack from the threat actor, Rockfoils, and have been rolling out protections for the past week. These protections will soon be fully deployed, which will shut down this avenue for abuse.
“In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns.”
What People Are Saying
On their website page for phishing advice, Google said: “Be careful anytime you receive a message from a site asking for personal information. If you get this type of message, don’t provide the information requested without confirming that the site is legitimate.
“If possible, open the site in another window instead of clicking the link in your email. Google will never send unsolicited messages asking for your password or other personal information.”
What Happens Next
While Google continues to work on the issue, users should be extremely wary of any emails that ask for personal information, even if they appear to have a legitimate domain.
