Google says it rolled out a restriction to guard against a tricky phishing attack that involved inventive tactics like creating a site URL and coming up with a really, really long app name.
The added defense arrives in response to Apr. 16 revelations from founder and lead developer at Ethereum Name Service, Nick Johnson, who provided details on X of what he described as an “extremely sophisticated phishing attack.”
“We’re aware of this class of targeted attack from this threat actor and have rolled out protections to shut down this avenue for abuse,” Google Workspace spokesperson Ross Richendrfer shared with IT Brew in an email. “In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns.”
What’s so sophisticated? According to Johnson:
- The message passed signature validation. Johnson, a former engineer at Google, showed that the threat actor registered a domain and created a Google account for “me@[domain].” After creating a Google OAuth application and granting that OAuth app access to the account, a Security Alert message—one created by Google and therefore passing Google’s security checks—was sent to the creator and then forwarded to a target.
- Maybe go with something shorter. For the “application name,” the threat actor input the entire phishing message, followed by a lot of whitespace, and an official sounding “Google Legal Support.” (Richendrfer wrote to IT Brew that the company, in response, last week shut down the mechanism allowing attackers to insert arbitrary-length text.)
- ‘Site’ unseen. The phish highlighted by Johnson showed a subpoena warning that led to a realistic support portal, hosted on a “sites.google.com” domain—presumably set up to gather credentials, he guessed.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“Google long ago realised that hosting public, user-specified content…is a bad idea, but Google Sites has stuck around. IMO they need to disable scrips and arbitrary embeds in Sites; this is too powerful a phishing vector,” Johnson wrote on X.
On the block. In an email to IT Brew, Richendrfer agreed that scanning and blocking abusive scripts is very important, in addition to taking down abusive websites, which he said Google does and will continue to do.
“Along with our peers in the website building industry, we know that users require some degree of customizability for core website components, such as scripts. JavaScript is crucial to web-builders—without it, websites can do almost nothing. Our focus with Sites is to create room to build while also providing layered protections (e.g., scanning and blocking abusive scripts) to make this as safe for builders as possible,” Richendrfer wrote to us, also emphasizing that the company “will not ask for any of your account credentials—including your password, one-time passwords, confirm push notifications, etc.—and Google will not call you.”
Verizon’s Data Breach Investigations report, released on April 23, revealed phishing as the “top action” in 14% of over 10,000 recent incidents.