{"id":127344,"date":"2025-04-17T03:20:59","date_gmt":"2025-04-17T03:20:59","guid":{"rendered":"http:\/\/cryptospotters.net\/?p=127344"},"modified":"2025-04-17T03:20:59","modified_gmt":"2025-04-17T03:20:59","slug":"ens-founder-warns-of-google-spoof-that-tricks-users-with-a-fake-subpoena","status":"publish","type":"post","link":"http:\/\/cryptospotters.net\/?p=127344","title":{"rendered":"ENS founder warns of Google spoof that tricks users with a fake subpoena"},"content":{"rendered":"<p>Source: Cointelegraph.com NewsThe founder and lead developer of Ethereum Name Service has warned his X followers of an \u201cextremely sophisticated\u201d phishing attack that can impersonate Google and trick users into giving out login credentials.\u00a0<br \/>\nThe phishing attack exploits Google\u2019s infrastructure to send a fake alert to users informing them that their Google data is being shared with law enforcement due to  a subpoena, ENS\u2019 Nick Johnson said in an April 16 post to X.\u00a0<br \/>\n\u201cIt passes the DKIM signature check, and GMail displays it without any warnings &#8211; it even puts it in the same conversation as other, legitimate security alerts,\u201d he said.\u00a0<br \/>\nThe fake subpoena appears to be from a Google no-reply domain. Source: Nick JohnsoAs part of the attack, users are offered the chance to view the case materials or protest by clicking a support page link, which uses Google Sites, a tool that can be used to build a website on a Google subdomain, according to Johnson.\u00a0<br \/>\n\u201cFrom there, presumably, they harvest your login credentials and use them to compromise your account; I haven\u2019t gone further to check,\u201d he said.<br \/>\nThe Google domain name gives the impression it\u2019s legit, but Johnson says there are still telltale signs it\u2019s a phishing scam, such as the email being forwarded by a private email address.\u00a0<br \/>\nScammers exploit Google systems\u00a0<br \/>\nIn an April 11 report, software firm EasyDMARC explained that the phishing scam works by weaponizing Google Sites.<br \/>\nAnyone with a Google account can create a site that looks legitimate and is hosted under a\u00a0trusted Google-owned domain.<br \/>\nThey also use the Google OAuth app, where the \u201ckey trick is that you can put anything you want in the App Name field in Google,\u201d and use a domain via Namecheap that allows them to \u201cput no-reply@google account as From address and the reply address can be anything.\u201d<br \/>\nSource: Nick Johnson \u201cFinally, they forward the message to their victims. Because DKIM only verifies the message and its headers and not the envelope, the message passes signature validation and shows up as a legitimate message in the user\u2019s inbox \u2014 even in the same thread as legit security alerts,\u201d Johnson said.\u00a0<br \/>\nGoogle deploying countermeasures soon\u00a0<br \/>\nSpeaking to Cointelegraph, a Google spokesperson said they are aware of the issue and are shutting down the mechanism that attackers are using to insert the \u201carbitrary length text,\u201d which will prevent the method of attack from working in the future.\u00a0<br \/>\nRelated: Hackers hide crypto address-swapping malware in Microsoft Office add-in bundles<br \/>\n\u201cWe\u2019re aware of this class of targeted attack from the threat actor, Rockfoils, and have been rolling out protections for the past week. These protections will soon be fully deployed, which will shut down this avenue for abuse,\u201d the spokesperson said.\u00a0<br \/>\n\u201cIn the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns.\u201d\u00a0<br \/>\nThe spokesperson added that Google will never ask for any private account credentials \u2014 including passwords, one-time passwords or push notifications, nor call users.\u00a0\u00a0<br \/>\nMagazine: Your AI \u2018digital twin\u2019 can take meetings and comfort your loved ones<a href=\"https:\/\/cointelegraph.com\/news\/latest-crypto-phishing-scam-fake-subpoena-alert-from-google?utm_source=rss_feed&amp;utm_medium=rss&amp;utm_campaign=rss_partner_inbound\" target=\"_blank\" class=\"feedzy-rss-link-icon\" rel=\"noopener\">Read More<\/a><\/p>","protected":false},"excerpt":{"rendered":"<p>Source: Cointelegraph.com NewsThe founder and lead developer of Ethereum Name Service has warned his X followers of an \u201cextremely sophisticated\u201d phishing attack that can impersonate Google and trick users into&hellip; <\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[],"_links":{"self":[{"href":"http:\/\/cryptospotters.net\/index.php?rest_route=\/wp\/v2\/posts\/127344"}],"collection":[{"href":"http:\/\/cryptospotters.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/cryptospotters.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"http:\/\/cryptospotters.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=127344"}],"version-history":[{"count":0,"href":"http:\/\/cryptospotters.net\/index.php?rest_route=\/wp\/v2\/posts\/127344\/revisions"}],"wp:attachment":[{"href":"http:\/\/cryptospotters.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=127344"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/cryptospotters.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=127344"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/cryptospotters.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=127344"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}