TZUTC: -0500   
   MSGID: 1057.consprcy@1:2320/105 2c6cdc2d   
   PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0   
   TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   Beware, hackers can apparently now send phishing emails from   
   no-reply@google.com   
      
   Date:   
   Mon, 21 Apr 2025 16:08:00 +0000   
      
   Description:   
   Researchers discover a rather elaborate scheme that looks authentic but it's   
   still just phishing.   
      
   FULL STORY   
      
   Researchers have discovered a clever and elaborate phishing scheme that    
   abused Googles services to trick people into giving away their credentials    
   for the platform.    
      
   Lead developer of the Ethereum Name Service, Nick Johnson, recently received   
   an email that seemed to have come from no-reply@google.com. The email said   
   that law enforcement subpoenaed Google for content found in his Google   
   Account.    
      
   He said that the email looked legitimate, and that it was very difficult to   
   spot that its actually fake. He believes less technical users might very   
   easily fall for the trick.    
      
   DKIM signed   
      
   Apparently, the crooks would first create a Google account for me@domain.   
   Then, they would create a Google OAuth app, and put the entire phishing   
   message (about the fake subpoena) in the name field.    
      
   Then, they would grant themselves access to the email address in Google   
   Workspace.    
      
   Google would then send a notification email to the me@domain account, but   
   since the phishing message was in the name field, it would cover the entire   
   screen.    
      
   Scrolling to the bottom of the email message would show clear signs that   
   something was amiss, since at the bottom one could read about getting access   
   to the me@domain email address.    
      
   The final step is to forward the email to the victim. Since Google generated   
   the email, it's signed with a valid DKIM key and passes all the checks,   
   Johnson explained how the emails landed in peoples inbox and not in spam.    
      
   The attack is called a DKIM replay phishing attack, since it leans on the    
   fact that in Googles systems, DKIM checks only the message and the headers,   
   not the envelope. Since the crooks first registered the me@domain address,   
   Google will show it as if it was delivered to their email address.    
      
   To hide their intentions even further, the crooks used sites.google.com to   
   create the credential-harvesting landing page. This is Googles free   
   web-building platform and should always raise red flags when spotted.    
      
    Via BleepingComputer   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/beware-hackers-can-apparently-now-send-   
   phishing-emails-from-no-reply-google-com   
      
   $$   
   --- SBBSecho 3.20-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/305 153/7715 154/110 218/700 226/30   
   SEEN-BY: 227/114 229/110 111 114 206 300 307 317 400 426 428 470 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 3634/12 5075/35   
   PATH: 2320/105 229/426