Google Warns of Sophisticated Email Scam Exploiting Its Own Platform
TEHRAN (Tasnim) - Google has issued an urgent warning about a phishing campaign that uses its own website-building service to bypass email security filters, potentially exposing its 1.8 billion Gmail users to data theft.
Google has identified a new phishing attack that can slip past its robust filtering system, posing a threat to millions of Gmail users around the world.
The scheme leverages Google Sites—a service that allows users to create websites—to imitate legitimate domain names and deceive recipients.
The attack also bypasses Google’s DomainKeys Identified Mail (DKIM) signature check, a key security protocol used to verify email authenticity and block scams.
With Gmail serving over 1.8 billion accounts globally, the breach could have far-reaching consequences if users fall victim to the scam.
Phishing campaigns aim to extract sensitive information such as passwords, credit card numbers, bank details, or personal data by tricking users into thinking they are communicating with a trusted source.
Nick Johnson, a cryptocurrency influencer, was among the first to publicly highlight the issue.
Posting on Twitter, he said, "The first thing to note is that this is a valid, signed email—it really was sent from no-reply@google.com."
"It passes the DKIM signature check, and Gmail displays it without any warnings—it even puts it in the same conversation as other, legitimate security alerts," Johnson added.
He described a convincing phishing page, stating, "The site's link takes you to a very convincing 'support portal' page. They've cleverly used http://sites.google.com because they know people will see the domain is http://google.com and assume it's legit."
Normally, the DKIM system filters out potentially malicious emails, directing them to users’ spam folders before they can do harm.
In this case, however, the phishing emails appear to originate from a trusted source due to the use of domains hosted by Google Sites.
In a statement to Newsweek, a Google spokesperson confirmed the company was actively addressing the issue.
"We're aware of this class of targeted attack from the threat actor, Rockfoils, and have been rolling out protections for the past week. These protections will soon be fully deployed, which will shut down this avenue for abuse," the spokesperson said.
Google is urging users to enable two-factor authentication and use passkeys to guard against phishing threats.
In a separate advisory on its website, Google cautioned users, "Be careful anytime you receive a message from a site asking for personal information. If you get this type of message, don't provide the information requested without confirming that the site is legitimate."
"If possible, open the site in another window instead of clicking the link in your email. Google will never send unsolicited messages asking for your password or other personal information," the company added.
Security experts advise email users to stay alert in the coming weeks and double-check any messages requesting sensitive data.
While domain checks can offer some reassurance, additional verification steps are now more important than ever.
