Ethereum Founder Warns of Advanced Google Phishing Attack
The founder and lead developer of Ethereum Name Service (ENS), Nick Johnson, has issued a warning to his followers on X about an advanced phishing attack that mimics google to deceive users into divulging their login credentials.
Johnson detailed the attack in an April 16 post, explaining that it exploits Google’s infrastructure to send a fake alert. This alert informs users that their Google data is being shared with law enforcement due to a subpoena. The phishing email passes Google’s DKIM signature check and appears in the user’s inbox without any warnings, even in the same conversation thread as legitimate security alerts.
The fake subpoena appears to originate from a Google no-reply domain, adding to its legitimacy. Users are given the option to view case materials or protest by clicking a support page link, which is hosted on Google Sites. This tool allows anyone with a Google account to create a site that looks legitimate and is hosted under a trusted Google-owned domain.
Johnson noted that while the Google domain name gives the impression of legitimacy, there are still signs that it is a phishing scam. For instance, the email is forwarded by a private email address, which is a red flag.
In an April 11 report, software firm EasyDMARC explained that the phishing scam works by weaponizing Google Sites. Scammers use the Google OAuth app, where they can input any desired text in the App Name field. They also use a domain via Namecheap that allows them to set no-reply@google account as the From address, with the reply address being anything they choose.
Johnson further explained that because DKIM only verifies the message and its headers, not the envelope, the message passes signature validation and appears as a legitimate message in the user’s inbox.
In response to the issue, a Google spokesperson stated that they are aware of the attack and are taking steps to shut down the mechanism that attackers are using. These protections are expected to be fully deployed soon, which will prevent this method of attack from working in the future.
The spokesperson also emphasized the importance of users adopting two-factor authentication and passkeys, which provide strong protection against phishing campaigns. Google will never ask for private account credentials, including passwords, one-time passwords, or push notifications, nor will they call users.
