June 4, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple Cisco Products Vulnerabilities
April 21, 2025
SideWinder APT Group aka Rattlesnake – Active IOCs
April 21, 2025
Multiple Cisco Products Vulnerabilities
April 21, 2025
SideWinder APT Group aka Rattlesnake – Active IOCs
April 21, 2025
Severity
High
Analysis Summary
Hackers have discovered a method to send fake emails that appear to come from Google, even though they originate from different sources. These emails pass Google's security checks, making them look legitimate. The attackers use Google's own systems to send these emails, which include links to fake support pages designed to steal users' login information. One such email was received by a developer. It seemed to be a security alert from Google <no-reply@accounts.google.com>, warning about a legal request for his account data. The email looked authentic and was grouped with other genuine Google alerts.
However, upon detailed research, it has been noticed that the link led to a page hosted on sites.google.com, not the official accounts.google.com. This subtle difference indicated that the page was a phishing site, created to mimic Google's login page and trick users into entering their credentials.
The attackers exploited a vulnerability in Google's email authentication system, specifically the DomainKeys Identified Mail (DKIM) protocol. DKIM verifies the authenticity of an email's content and headers but does not check the actual sender's address. By creating a Google OAuth application and sending themselves a security alert, the attackers obtained a DKIM-signed email from Google. They then forwarded this email to potential victims, making it appear as though it was a legitimate message from Google.
This method, known as a DKIM replay attack, has also been used against other services like PayPal. In such cases, attackers manipulate the email system to send phishing messages that pass security checks and reach users' inboxes.
Impact
- Credential Theft
- Security Bypass
Remediation
- Implement rate limiting to restrict the number of emails accepted from a specific sender within a defined time frame.
- Educate email recipients to recognize signs of phishing and verify the legitimacy of emails, even if they appear to come from trusted sources.
- Enforce network security measures, including SPF, DKIM, and DMARC protocols, to authenticate emails and block potentially malicious content.
- Oversign email headers by including multiple cryptographic signatures in the headers to enhance authenticity and prevent unauthorized modifications.
- Use shorter expiration times for DKIM signatures to reduce the window of opportunity for replay attacks.
- Include timestamps and nonces in email headers or body to ensure each email is unique and prevent replay attacks
- Rotate DKIM keys periodically to limit the duration a compromised key can be exploited.
- Remove deprecated public keys from DNS records to prevent their misuse in DKIM replay attacks.
