Lead ENS Developer, Nick Johnson Reveals How He Almost Fell for a Phishing Attack
Johnson discovers cleverly orchestrated phishing email attack leveraging Google's authentication bug, says Google underestimating its potential
Nick Johnson, the Lead Developer of the Ethereum Name Service (ENS), has recently shared how he discovered an orchestrated phishing attack on his email.
Johnson revealed that the attack began when received what appeared to be a legitimate email from Google. The email stated that law enforcement had issued a subpoena for the contents of his Google Account. It seemed to come from a genuine Google “no-reply” address without the trademark of spelling errors that would have given most phishing websites away.
However, Johnson revealed that he instinctively felt off about the message. He instead began investigating the link uncovering the sophisticated phishing site using Google trust to deceive users.
Attackers Were Thorough in Their Attempt at Nick Johnson
Johnson dug into the link previews and discovered that the email included a link to a Google Sites page. The link first redirected to the Google Account login page and then landed on a fake support case hosted under the sites.google.com domain.
This link is concerning because Google Sites is a trusted service created by Google and used by many legitimate users. This creates a false sense of security with many unsuspecting users.
The phishing page closely copies Google’s interface, prompting victims to enter credentials into the site. Furthermore, Google’s automated security checks failed to detect the site. This was because it is hosted on a subdomain of google.com, making it even more effective.
Exploiting Email Authentication with DKIM Replay
The phishing email showed technical sophistication, successfully passing DKIM, SPF, and DMARC email authentication checks. This was because the attack manipulated how those systems validate messages.
The attacker had taken a real email from Google with a valid DKIM signature and repurposed it in a DKIM Replay Attack. By not altering the signed portions of the message, they managed to preserve the integrity of the original DKIM signature while relaying it through unrelated mail servers. Ultimately, the email was delivered to Johnson and passed full authentication despite not being legitimate.
Google Promises to Look Into the Authentication Bug
Notably, Johnson had initially submitted the bug report to Google. They replied explaining that they didn’t consider the exploit as a security bug. However, hours after they posted the tweet, they changed their minds. They promised to look into the OAuth bug as soon as possible.
With the increasing prevalence of email phishing attacks, it is important to always scrutinize unexpected urgent emails. When in doubt, don’t click the link. Escalate the issue to a trusted security team or consult professionals.
