Google spoofed via DKIM replay attack: A technical breakdown
9 months ago
- #DKIM-replay-attack
- #phishing
- #cybersecurity
- A friend received a convincing phishing email claiming to be from Google about a subpoena.
- The email appeared legitimate with no typos, odd links, and a genuine-looking sender domain.
- Investigation revealed the email was a DKIM replay attack, where a legitimate Google email was reused.
- The attacker used Google Sites to mimic an official Google support page, exploiting trust in Google's domain.
- The phishing email passed SPF, DKIM, and DMARC checks, making it appear authentic.
- Attackers manipulated Google OAuth app names to include phishing content in legitimate Google emails.
- Google has since fixed the issue by restricting app name content to prevent such attacks.
- Users are advised to avoid clicking on suspicious links and report such emails to security teams.
- DKIM replay attacks are hard to detect as they reuse valid signatures from legitimate emails.
- Security measures include rotating DKIM keys frequently and raising user awareness about phishing tactics.