A new kind of phishing attack is fooling Gmail’s security. Here’s how it works

Phishing attacks are not new, especially with Gmail. There are constant warnings from email companies about what to watch out for when receiving a weird email.

That still doesn't stop hackers. Some do keep with the painfully obvious phishing attacks using emails supposedly from Apple, Amazon, and Facebook, yet use random email handles to send the fake messages. Others, however, have gotten smarter and sneakier with their attacks, so now, it's close to impossible to tell if an email is fake or not.

Software developer Nick Johnson created a thread on X about a new kind of phishing attack. He received an email from an attacker that said Google had been served with a subpoena and that he needed to provide a copy of his Google account content.

An email like this would seemingly be easy to dismiss simply by looking at who sent it. In this case, the email did come from a valid, signed Google email account, no-reply@google.com. This email also passed a DomainKeys Identified Mail (DKIM) check, which reaffirms it is legit, and in Gmail, this email sorted itself with other Google security alerts within the inbox.

Clicking on the link also led to a legit-looking Google sign-in page with the subtle difference that the URL was "sites.google.com" instead of "accounts.google.com." Johnson didn't proceed further as he believed that would have been where the hackers would have harvested his data.

So how did these hackers create an email that appears to be a completely valid email from Google and create a fake site that is still a Google website? Johnson came up with a theory.

The first task was to create a site using an old Google product.

"The fake portal is fairly straightforward. http://sites.google.com is a legacy product from before Google got serious about security; it allows users to host content on a http://google.com subdomain, and crucially it supports arbitrary scrips and embeds," Johnson tweeted.

After this fake page is made, they create a Google account using a fake domain that is registered. Johnson used the email of "me@domain."

They can create a Google OAuth application, which, for a knowledgeable developer, can be done in mere minutes. The application is given the name of the phishing message with all the spacing and wording found on a Google email, including a line for "Google Legal Support" in Johnson's case.

From here, they grant OAuth app access to the Google account they created, "me@domain," in the case of Johnson's example. This then causes a "Security Alert" message from Google to be generated, which has all the phishing wording in it. The attacker then forwards that email to the victim, and it passes a DKIM check, appears to come from a legitimate Google email, and has a link to the fake site.

Google is on it.

At the end of his thread, Johnson said he sent this issue to Google, and their response wasn't ideal.

"I've submitted a bug report to Google about this; unfortunately they closed it as 'Working as Intended' and explained that they don't consider it a security bug. Obviously I disagree - but until they change their mind, be on the lookout for deceptive security alerts from Google," Johnson wrote.

He later posted another message saying the company changed its stance.

"Outstanding news: Google has reconsidered and will be fixing the oauth bug," he tweeted.

Google confirmed it is working on a solution with Newsweek.

"We're aware of this class of targeted attack from the threat actor, Rockfoils, and have been rolling out protections for the past week. These protections will soon be fully deployed, which will shut down this avenue for abuse," the company told Newsweek. "In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns."