Beware Gmail Users! Tech giant Google has issued an important warning to all Gmail users. This warning has come following the discovery of a highly sophisticated phishing campaign that exploits Google’s own security checks to trick users into handing over their account credentials.
This phishing attack is dangerous because it appears to come from Google itself and even shows up in the same email thread as real and genuine alerts from Google. However, Google has acknowledged the phishing campaign and confirmed that it exploited OAuth and DKIM mechanisms in a novel way.
Recently I was targeted by an extremely sophisticated phishing attack, and I want to highlight it here. It exploits a vulnerability in Google’s infrastructure, and given their refusal to fix it, we’re likely to see it a lot more. Here’s the email I got: — nick.eth (@nicksdjohnson)
The scam was initially discovered by software developer Nick Johnson, who detailed his experience on X (formerly Twitter). He received an email from no-reply@google.com, stating that a subpoena had been issued for his account data. The email appeared legitimate and contained a link resembling a genuine Google support page.
However, the link redirected to a fake Google sign-in page hosted on sites.google.com—Google’s own platform. The aim was to deceive users into entering their login credentials, allowing hackers to steal their Gmail account information. It is important to note that the phishing email uses the company’s branding, has the correct logo, and includes language that sounds official.
You get an official-looking email from no-reply@google.com, claiming a subpoena has been issued against your account.
The email includes a link that appears to lead to a legitimate Google support page, urging you to log in to respond.
: The link takes you to a cloned Google login page, hosted on a Google subdomain (like sites.google.com), making it look authentic.
Once you enter your login details, they’re captured by hackers—giving them full access to your Gmail and all connected Google services.
Don’t trust unexpected emails asking you to take urgent action, even if they appear to come from Google or other trusted sources.
: Avoid clicking on links within such emails. These links may lead to fake login pages designed to steal your credentials.
Always visit your Gmail or any other service by typing the official URL (like www.google.com) directly into your browser.
Add an extra layer of security to your account by enabling 2FA, which requires a second verification step beyond just your password.
Activate passkeys wherever supported to further protect your account from phishing and credential theft.
Stay informed on all the , real-time updates, and follow all the important headlines in and on Zee News.
