Gmail users are now facing a sophisticated threat: authentic-looking security alert emails that have somehow bypassed Google’s defenses. The danger lies in their initial believability – a quick read suggests legitimacy, further compounded by a sender domain name that bears a striking resemblance to the real one.
The success of this scam hinges on the assumption that recipients will not scrutinize the email’s legitimacy and, driven by fear of supposed legal consequences, will inadvertently grant the fraudster unfettered access to their funds, personal media, and more.
Inside the Mind of the Gmail Fraudster
The image below reveals the content of the fake email: a claim that a government subpoena mandates Google LLC to submit your complete Google account information – photos, emails, Maps data, etc. – to the authorities. The critical point to recognize is that the email does not threaten you with legal action. Rather, it asserts that the government is demanding your data from Google. This subtle but significant detail is the central lure of the scam.
The “hook” is set, and now comes the “bait.” The email’s next paragraph urges you to visit a “sites.google.com” website to either see the data supposedly going to the government or to protest. The danger lies here: while the domain appears legitimate, it’s a simple “sites.google.com” page – a type of website anyone with basic computer knowledge can create. This is not a genuine Google portal but a fraudulent site designed to steal your information.
If you pay attention, this fake email looks just like a real one from Google. It tells you to go to a “Google Support Case website” to fix things or complain. They use fancy words like that to make the email seem official.
Notice all the extra fake stuff in the email, like the Google Account ID and support ID. Also, it says the legal order was for Google, not for you personally. This makes you think the problem is Google’s, and they just need to hand over your data. This feeling that you’re not the target is part of the trick.
The good news is that Google is aware of this fraud. They’ve announced that they’ve put in place protections to prevent this kind of system abuse. Furthermore, Google urges users to use two-factor authentication and passkeys, as these offer robust defense against phishing attacks like this one.
Gmail's Defenses Breached: But How?
- Stolen Authority: The attackers manage to grab a real email that Google has digitally signed, making it appear undeniably trustworthy.
- Exploiting the Signature: They then send this same, now-malicious email to new targets. Since it still bears Google’s original security signature, most email systems are fooled into thinking it’s legitimate and don’t block it.
- Tricking Google into Creating the Bait: The attacker exploits Google’s own processes by creating a fake Google account and a fake app in Google Cloud. This triggers Google’s automated system to send a real “Security Alert” email to the attacker’s control.
- Preserving Trust: The attacker then forwards this authentic Google email through an external service like Outlook, being careful not to alter the original Google signature. This preservation of the genuine signature is what fools spam filters into believing the forwarded email is safe.
- A Believable Fake: The forwarded email arrives in the victim’s inbox and is indistinguishable from a real Google alert. Because it retains Google’s original security signature, it clears all standard security checks (SPF, DKIM, DMARC) without issue.
- The Trap on a Trusted Domain: The email then scares the victim about suspicious activity and directs them to a link on “sites.google.com” – a genuine Google website. However, the specific page they are sent to is a fake, meticulously designed to look like an official Google login or information page.
- The Login Trap: Clicking on buttons like “View Case” or “Upload Documents” in the fake email leads the victim to a fraudulent Google login page. If they enter their username and password, that information is immediately stolen by the attacker. Why It’s So Sneaky: This fraud works so well because attackers can create seemingly legitimate pages on Google’s own “sites.google.com” platform, and these pages can contain code to trick users. Because the email looks real, the website domain is real, and the fake site mimics Google perfectly, it all bypasses security checks, including Google’s own spam filters.
Tarun Wig from Innefu Labs points out that the phishing email bypassed Gmail’s security due to a “DKIM replay attack.” This means the attackers got their hands on a genuine email that Google had digitally signed (using DKIM) to prove it was real. They then resent this same signed email, fooling Gmail into thinking it was legitimate.
Wig adds that DKIM is like a seal on a letter – it proves the letter hasn’t been opened or changed since the sender put it in the envelope. But it doesn’t tell you if the person who originally sealed the letter is the one sending it now, or if their intentions are good. In this case, the fake email had Google’s “seal,” came from Google’s address (“no-reply@google.com”), and passed all the checks. It even appeared in the same place as real Google warnings, making it seem completely genuine. This highlights that just because an email looks official doesn’t mean you should automatically trust it.
According to Sheetal R Bhardwaj, an expert at ACFCS, Gmail didn’t recognize this fake email as spam because the attack cleverly misused Gmail’s own tools for verifying emails, particularly DKIM (DomainKeys Identified Mail).
What Steps Can You Take to Avoid Gmail Fraud?
- Even if an email looks completely fine and passes all the security checks (like DKIM, SPF, and DMARC), it can still harmful or a fake. Don’t trust it blindly.
- Be extra careful about clicking links, even if they look like they go to a real site like https://www.google.com/search?q=site.google.com. If the email tries to scare you or tells you to log in immediately, it’s a big red flag for a scam page.
- To protect your account, multi-factor authentication MFA. This means that even if a gets your password, they still won’t be able to get into your account so easily because they’ll need a second way to prove they are you.
- Alert email instead of clicking on the link given in it, directly Google. This helps you avoid links.
