Gmail Users Exposed In Sophisticated DKIM Replay Phishing Attack

(MENAFN- The Arabian Post)

A recent and highly sophisticated phishing campaign has exposed a critical vulnerability within Google's infrastructure, placing Gmail users at significant risk. The attack, identified by Nick Johnson, lead developer of the Ethereum Name Service , demonstrates how cybercriminals can exploit Google's own systems to deliver deceptive emails that appear to originate from legitimate Google sources.

Johnson received an email that seemed to be a standard security alert from Google, notifying him of a subpoena allegedly issued by law enforcement concerning his Google account. The email included a link directing him to a page hosted on google, which closely mimicked Google's official support portal. Upon closer inspection, Johnson noted that the URL should have been google, raising suspicions about the email's authenticity.

The attackers leveraged Google's Sites platform to host these fraudulent pages, exploiting the trust users place in Google's domains. By using google, which allows any user to create web pages, the phishing pages appeared credible and bypassed many security filters. This tactic is particularly effective because the domain seems trustworthy to most users and can circumvent standard email authentication protocols.

A critical component of this attack is the abuse of the DomainKeys Identified Mail protocol. DKIM allows the sending server to attach a digital signature to an email, verifying its authenticity. In this case, the attackers exploited a loophole where DKIM-signed messages retain their signature during replays, provided the email body remains unchanged. This means that if a malicious actor obtains a previously legitimate DKIM-signed email, they can resend it without modification, and it will still pass authentication checks.

The attackers executed a multi-step process to exploit this vulnerability:

See also Meta's AI Faces Scrutiny Over Disturbing Conversations With Child Users

1. They created a Gmail account with an address starting with“me@”, making the email appear as if it was addressed to“me,” a common shorthand in Gmail interfaces.

2. They registered a Google OAuth application, naming it to match the phishing link.

3. They granted the OAuth app access to their Google account, triggering a legitimate security warning from [email protected] .

4. This alert, containing the content of the phishing email embedded in the app name, had a valid DKIM signature.

5. They forwarded the message untouched, preserving the DKIM signature's validity.

By embedding the entire phishing message in the application name and preparing a fake login site, the attackers created a convincing facade. Once the initial setup was complete, replicating the procedure became straightforward, even if a page was reported and taken down. Notably, reporting abuse on google is not a simple process, further aiding the attackers.

The phishing email's authenticity was bolstered by the fact that it passed all standard authentication checks, including DKIM, and appeared in the same conversation thread as legitimate security alerts from Google. This level of sophistication makes it challenging for users to discern the fraudulent nature of the email.

Google initially responded to Johnson's bug report by stating that the system was“Working as Intended.” However, after further consideration, Google acknowledged the issue and committed to addressing the OAuth bug. The company has since implemented measures to close this security loophole and recommends that users enable two-factor authentication and passkeys to enhance account security.

Notice an issue? Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com . We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.

MENAFN29042025000152002308ID1109487838