BleepingComputer reports that Google was discovered by Ethereum Name Service lead developer Nick Johnson to have had an OAuth vulnerability leveraged to facilitate the delivery of a bogus email purporting to be a security alert from the company with a valid DomainKeys Identified Mail authentication key as part of a DKIM replay phishing intrusion.
Attackers sent Johnson a subpoena seemingly from Google that included a link to a highly convincing fake Google support portal, with the phishing scheme only hinted by the usage of "sites.google.com" instead of "accounts.google.com" to host the email and support website. Such illicit activity has been enabled by initial domain registration and Google account creation for me@domain followed by the establishment of a Google OAuth app to enable the automated delivery of the bogus security alert, according to Johnson. Such a development comes after PayPal had its "gift address" option exploited to allow the distribution of fraudulent purchase confirmations that seemingly come from its servers.
Attackers sent Johnson a subpoena seemingly from Google that included a link to a highly convincing fake Google support portal, with the phishing scheme only hinted by the usage of "sites.google.com" instead of "accounts.google.com" to host the email and support website. Such illicit activity has been enabled by initial domain registration and Google account creation for me@domain followed by the establishment of a Google OAuth app to enable the automated delivery of the bogus security alert, according to Johnson. Such a development comes after PayPal had its "gift address" option exploited to allow the distribution of fraudulent purchase confirmations that seemingly come from its servers.
