Google’s OAuth Vulnerability Abused in New Email Spoofing Attack

Cybercriminals have developed a new phishing technique that leverages Google’s own infrastructure to send deceptive emails appearing to originate from “no******@****le.com,” Bleeping Computer is reporting.

This method, known as a DKIM replay attack, allows malicious actors to bypass standard email authentication protocols, posing significant risks to users worldwide.​

DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in emails. However, in this attack, phishers exploit a vulnerability in DKIM’s design, which verifies only the message and headers, not the envelope.

The attackers begin by registering a domain and creating a Google account with an email address like “**@****in.com.” They then develop a Google OAuth application, embedding the phishing message within the app’s name. When this app is granted access to the attacker’s email, Google sends a security alert to the specified address.

When this app is granted access to the attacker’s email, Google sends a security alert to the specified address. Since this alert originates from Google’s servers, it carries a valid DKIM signature. The attacker then forwards this email to potential victims, making it appear as an official communication from Google.​

The phishing emails often contain alarming messages, such as notifications of legal subpoenas, to prompt immediate action. Victims are directed to counterfeit support portals hosted on Google’s Sites platform.

Nick Johnson, lead developer of the Ethereum Name Service, was among those targeted by this sophisticated phishing campaign. Upon investigating, he identified the misuse of Google’s OAuth and DKIM systems and reported the issue to Google.

Initially, Google dismissed the concern, stating the system was functioning as intended. However, following further scrutiny, the company acknowledged the vulnerability and is now working on a solution.​