‘Recently I was targeted by an extremely sophisticated phishing attack’: Are you next?
- Replies 0
Cybersecurity threats continue to evolve, becoming more deceptive and difficult to detect, even for the most vigilant users.
A recent revelation has cast a spotlight on the vulnerabilities within one of the world’s most widely used communication platforms, raising alarm bells for billions of people around the globe.
What followed was a sophisticated scheme that has experts and tech companies scrambling to respond.
Cybercriminals launched a highly advanced phishing scam that targeted Gmail users worldwide, prompting an urgent security alert from Google.
The scam first came to light when Ethereum developer Nick Johnson shared his experience in a post on social media.
‘Recently I was targeted by an extremely sophisticated phishing attack,’ Johnson wrote.
He warned that the attack exploited a flaw within Google’s own systems and claimed the tech giant had declined to address it.
‘It exploits a vulnerability in Google's infrastructure, and given their refusal to fix it, we're likely to see it a lot more,’ he said.
Johnson provided a screenshot of the email he received, which mimicked official communication from Google and stated he had been served with a subpoena.
The message instructed him to hand over account access and linked to a page hosted on sites.google.com rather than the usual accounts.google.com.
‘The only hint it's a phish is that it's hosted on sites.google.com instead of accounts.google.com,’ Johnson noted.
Clicking the link directed him to a fake ‘support portal’ page that closely resembled Google's legitimate interface.
When he selected options like ‘Upload additional documents’ and ‘View case’, he was taken to pages that were almost exact replicas of real Google login pages.
These fraudulent sites requested his Google login credentials.
‘From there, presumably, they harvest your login credentials and use them to compromise your account; I haven't gone further to check,’ Johnson explained.
He also said the email passed a DKIM signature check, which normally ensures an email hasn’t been altered en route.
‘It even puts it in the same conversation as other, legitimate security alerts,’ he added.
In a statement, Google confirmed the phishing attempt and described it as ‘sophisticated’.
‘We're aware of this class of targeted attack from this threat actor and have rolled out protections to shut down this avenue for abuse,’ a spokesperson said.
They advised users to enable two-factor authentication and use passkeys for added protection.
‘In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns.’
Google said it had blocked the exploit used in the attack and recently shared advice to help users recognise and avoid email scams.
The company clarified that it would never request login credentials, one-time passwords, or confirm actions through phone calls.
Phishing scams like this one are designed to appear legitimate in order to trick people into revealing personal information.
Hackers crafted their scam using Google Sites to make the domain seem trustworthy.
‘Because they know people will see the domain is http://google.com and assume it's legit,’ Johnson said.
Passwords alone are not enough to protect Gmail accounts from this type of attack.
Hackers who obtain passwords can use them along with a 2FA code on their own devices to access accounts.
However, passkeys—automatically generated and tied to a specific device—provide a stronger defence.
These unique codes cannot be guessed or reused on another device, reducing the risk of unauthorised access.
To protect your online security, it is vital to learn how to identify phishing attempts.
Scam emails often begin with a generic greeting and create urgency to compel users to act quickly by clicking a link.
Although companies like Google do send security emails, they will never include links asking you to fix login or payment issues.
In this case, scammers impersonated a legal or government request for account data.
Google’s Privacy and Terms page states: ‘When we receive a request from a government agency, we send an email to the user account before disclosing information. If the account is managed by an organisation, we'll give notice to the account administrator.’
‘We won't give notice when legally prohibited under the terms of the request. We'll provide notice after a legal prohibition is lifted, such as when a statutory or court-ordered gag period has expired.’
This means fake legal requests can be difficult to distinguish from real ones.
Google reminded users to exercise caution with emails requesting personal details.
‘If you get this type of message, don't provide the information requested without confirming that the site is legitimate.’
They also suggested opening the official website in a new browser window instead of clicking on links.
‘Google will never send unsolicited messages asking for your password or other personal information.’
With cybercriminals getting smarter, it's more important than ever to take charge of your online security.
Watch the video below to learn simple yet powerful steps to keep your Gmail account safe from hackers.
Source: Youtube/Pete Matheson
With phishing scams becoming more convincing by the day, do you think tech companies are doing enough to keep users safe? Let us know your thoughts in the comments.
A recent revelation has cast a spotlight on the vulnerabilities within one of the world’s most widely used communication platforms, raising alarm bells for billions of people around the globe.
What followed was a sophisticated scheme that has experts and tech companies scrambling to respond.
Cybercriminals launched a highly advanced phishing scam that targeted Gmail users worldwide, prompting an urgent security alert from Google.
The scam first came to light when Ethereum developer Nick Johnson shared his experience in a post on social media.
‘Recently I was targeted by an extremely sophisticated phishing attack,’ Johnson wrote.
He warned that the attack exploited a flaw within Google’s own systems and claimed the tech giant had declined to address it.
‘It exploits a vulnerability in Google's infrastructure, and given their refusal to fix it, we're likely to see it a lot more,’ he said.
Johnson provided a screenshot of the email he received, which mimicked official communication from Google and stated he had been served with a subpoena.
The message instructed him to hand over account access and linked to a page hosted on sites.google.com rather than the usual accounts.google.com.
‘The only hint it's a phish is that it's hosted on sites.google.com instead of accounts.google.com,’ Johnson noted.
Clicking the link directed him to a fake ‘support portal’ page that closely resembled Google's legitimate interface.
When he selected options like ‘Upload additional documents’ and ‘View case’, he was taken to pages that were almost exact replicas of real Google login pages.
These fraudulent sites requested his Google login credentials.
‘From there, presumably, they harvest your login credentials and use them to compromise your account; I haven't gone further to check,’ Johnson explained.
He also said the email passed a DKIM signature check, which normally ensures an email hasn’t been altered en route.
‘It even puts it in the same conversation as other, legitimate security alerts,’ he added.
In a statement, Google confirmed the phishing attempt and described it as ‘sophisticated’.
‘We're aware of this class of targeted attack from this threat actor and have rolled out protections to shut down this avenue for abuse,’ a spokesperson said.
They advised users to enable two-factor authentication and use passkeys for added protection.
‘In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns.’
Google said it had blocked the exploit used in the attack and recently shared advice to help users recognise and avoid email scams.
The company clarified that it would never request login credentials, one-time passwords, or confirm actions through phone calls.
Phishing scams like this one are designed to appear legitimate in order to trick people into revealing personal information.
Hackers crafted their scam using Google Sites to make the domain seem trustworthy.
‘Because they know people will see the domain is http://google.com and assume it's legit,’ Johnson said.
Passwords alone are not enough to protect Gmail accounts from this type of attack.
Hackers who obtain passwords can use them along with a 2FA code on their own devices to access accounts.
However, passkeys—automatically generated and tied to a specific device—provide a stronger defence.
These unique codes cannot be guessed or reused on another device, reducing the risk of unauthorised access.
To protect your online security, it is vital to learn how to identify phishing attempts.
Scam emails often begin with a generic greeting and create urgency to compel users to act quickly by clicking a link.
Although companies like Google do send security emails, they will never include links asking you to fix login or payment issues.
In this case, scammers impersonated a legal or government request for account data.
Google’s Privacy and Terms page states: ‘When we receive a request from a government agency, we send an email to the user account before disclosing information. If the account is managed by an organisation, we'll give notice to the account administrator.’
‘We won't give notice when legally prohibited under the terms of the request. We'll provide notice after a legal prohibition is lifted, such as when a statutory or court-ordered gag period has expired.’
This means fake legal requests can be difficult to distinguish from real ones.
Google reminded users to exercise caution with emails requesting personal details.
‘If you get this type of message, don't provide the information requested without confirming that the site is legitimate.’
They also suggested opening the official website in a new browser window instead of clicking on links.
‘Google will never send unsolicited messages asking for your password or other personal information.’
With cybercriminals getting smarter, it's more important than ever to take charge of your online security.
Watch the video below to learn simple yet powerful steps to keep your Gmail account safe from hackers.
Source: Youtube/Pete Matheson
With phishing scams becoming more convincing by the day, do you think tech companies are doing enough to keep users safe? Let us know your thoughts in the comments.
