{"id":103821,"date":"2025-04-24T00:40:14","date_gmt":"2025-04-24T07:40:14","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=103821"},"modified":"2025-04-25T14:57:27","modified_gmt":"2025-04-25T21:57:27","slug":"google-phishing-scam-e-mail-deploys-diabolical-deceptions","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/google-phishing-scam-e-mail-deploys-diabolical-deceptions\/","title":{"rendered":"Google phishing scam e-mail deploys diabolical deceptions"},"content":{"rendered":"

\"Shady<\/p>\n

A series of highly sophisticated Google phishing e-mails has been making the rounds in the past couple weeks. The scam combines a number of clever techniques to appear plausibly legitimate to the average person.<\/p>\n

Put another way: Google itself is sending scam e-mails on behalf of fraudsters, and linking to Google-hosted phishing sites.<\/em><\/p>\n

What are the signs to watch out for? Let’s break down this scam so you can avoid becoming a victim.<\/p>\n

A subpoena from law enforcement?<\/h3>\n

The e-mail subject line is simply, “Security alert” \u2014 not very descriptive. The body of the e-mail is quite long, but includes phrasing similar to the following:<\/p>\n

A subpoena was served on Google LLC requiring us to produce a copy of your Google Account content<\/p>\n

 <\/p>\n

Google Support Ref #: [2 digits, hyphen, 10 digits]\n

Transferred to Legal Investigations Support<\/p>\n

 <\/p>\n

Google Support Case:
\nhttps:\/\/sites.google.com\/u\/[scam URL]\/edit<\/p>\n

 <\/p>\n

Google Account ID: [13-digit number beginning with 17783]\n

 <\/p>\n

This notice is to alert you that a subpoena was issued to Google LLC by a law enforcement that seeks retrieval of information contained in your Google Account.<\/p>\n

 <\/p>\n

To examine the case materials or take measures to submit a protest, please do so in the provided Google Support Case.<\/p><\/blockquote>\n

The e-mail is then padded with several blank lines, followed by “Google Legal Support was granted access to your Google Account.”<\/p>\n

But in reality, no such law enforcement subpoena exists. In fact, it’s all part of a ruse to encourage you to go to the sites.google.com URL, which is actually a phishing page; we’ll explain more about that later.<\/p>\n

Scammers exploit Google to send the phishing e-mail<\/h3>\n

The most concerning part of this scheme is that the phishers actually trick Google’s systems into sending the phishing e-mail on their behalf.<\/p>\n

Any would-be phisher can buy any domain name, sign up for Google Workspace, and create an app that uses OAuth to allow users to sign in using their Google account. Then they add victims to a mailing list (ideally beginning with “me@” so Gmail will show the recipient as “me”\u2014mimicking how Gmail would display the e-mail if it were sent to their own individual address).<\/p>\n

The name of the scammer’s OAuth app is ridiculously long; it will be the entire body of the scam e-mail, with line breaks and all, including the phishing link. (We’ll get back to the phishing page itself in a moment.)<\/p>\n

\n

The first thing to note is that this is a valid, signed email – it really was sent from no-reply@google.com. It passes the DKIM signature check, and GMail displays it without any warnings – it even puts it in the same conversation as other, legitimate security alerts. pic.twitter.com\/GxlFR6ccLG<\/a><\/p>\n

— nick.eth (@nicksdjohnson) April 16, 2025<\/a><\/p><\/blockquote>\n