In a novel attack, hackers are sending fake emails that appear to come from Google’s systems – no-reply@google.com – bypassing all verifications and the DomainKeys Identified Mail (DKIM) authentication method and pointing to a fraudulent page that collects logins.
You can get more details about this here: https://threadreaderapp.com/thread/1912439023982834120.html
Roger Grimes, data-driven defense evangelist at KnowBe4, commented:
“DMARC, DKIM, and SPF all focus on the DNS domain involved. The “email address” portion can change and the DMARC, DKIM, and SPF check will be just fine. So, if I can get an email sent from a common, global domain like google.com or hotmail.com, I can get nearly any email address name I like (e.g., the realbillgates@gmail.com) and it’s going to pass the checks.
DMARC, DKIM, and SPF should be understood this way: I claim to be from this and this domain (e.g., google.com) and if I pass the checks, I really am from that claimed domain. The user still has to look at the entire email address (friendly name and domain name) and figure out if it is or isn’t legitimate for the domain being claimed. On top of that, malicious scammers deploy DMARC, DKIM, and SPF at higher rates than non-scammers. Scammers early on decided that they needed all the domains they used to have DMARC, DKIM, and SPF enabled so their scammy email didn’t end up in the Junk Mail, Spam folder, or be rejected and never make it to the end-user. To that end, DMARC, DKIM, and SPF have been a total success. And at the same time it is a victim of its own success, with scammers using it even more than legitimate senders.”
I have certainly seen this with this attack that makes refund scam emails look like they are coming from Microsoft. Thus I am not shocked that this is happening on the Google side of the fence. And I fully expect to see more of this sort of thing going forward.
Like this:
Like Loading...
Related
This entry was posted on April 21, 2025 at 2:28 pm and is filed under Commentary with tags Google. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Google OAuth Abused by Phishers to Spoof Google in DKIM Replay Attack
In a novel attack, hackers are sending fake emails that appear to come from Google’s systems – no-reply@google.com – bypassing all verifications and the DomainKeys Identified Mail (DKIM) authentication method and pointing to a fraudulent page that collects logins.
You can get more details about this here: https://threadreaderapp.com/thread/1912439023982834120.html
Roger Grimes, data-driven defense evangelist at KnowBe4, commented:
“DMARC, DKIM, and SPF all focus on the DNS domain involved. The “email address” portion can change and the DMARC, DKIM, and SPF check will be just fine. So, if I can get an email sent from a common, global domain like google.com or hotmail.com, I can get nearly any email address name I like (e.g., the realbillgates@gmail.com) and it’s going to pass the checks.
DMARC, DKIM, and SPF should be understood this way: I claim to be from this and this domain (e.g., google.com) and if I pass the checks, I really am from that claimed domain. The user still has to look at the entire email address (friendly name and domain name) and figure out if it is or isn’t legitimate for the domain being claimed. On top of that, malicious scammers deploy DMARC, DKIM, and SPF at higher rates than non-scammers. Scammers early on decided that they needed all the domains they used to have DMARC, DKIM, and SPF enabled so their scammy email didn’t end up in the Junk Mail, Spam folder, or be rejected and never make it to the end-user. To that end, DMARC, DKIM, and SPF have been a total success. And at the same time it is a victim of its own success, with scammers using it even more than legitimate senders.”
I have certainly seen this with this attack that makes refund scam emails look like they are coming from Microsoft. Thus I am not shocked that this is happening on the Google side of the fence. And I fully expect to see more of this sort of thing going forward.
Share this:
Like this:
Related
This entry was posted on April 21, 2025 at 2:28 pm and is filed under Commentary with tags Google. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.