Scammers Exploit Google and PayPal Tools to Bypass Email Security and Launch Phishing Attacks
Cybercriminals are abusing trusted platforms like Google and PayPal to send phishing emails that successfully bypass standard email security measures, according to a new report by Bleeping Computer.
In one campaign, attackers are sending fake emails from [email protected], disguised as urgent legal notices claiming that law enforcement is requesting information tied to the recipient’s Google Account. The scam uses Google Sites, a legitimate web-building service, to create convincing phishing pages and email content designed to scare victims into revealing their credentials.
According to cybersecurity firm EasyDMARC, the emails evade common security checks such as DomainKeys Identified Mail (DKIM) because they are technically sent from Google’s own tools. The attackers exploit a loophole by inserting the full body of their phishing message as the name of a fake app, which Google then automatically includes in a system-generated email—making the message appear authentic.
Because DKIM only validates the message content and headers, the email remains fully signed and appears legitimate even when forwarded to a user’s Gmail inbox—making it far more convincing. A similar DKIM relay attack was observed last month targeting PayPal users.
To further enhance the illusion, the phishing email links to a convincing support portal hosted on sites.google.com instead of the legitimate accounts.google.com domain, banking on the assumption that most recipients won’t notice the subtle difference.
Nick Johnson, a developer at Ethereum Name Service, received one of these phishing emails and flagged the abuse of Google’s OAuth app system as a security vulnerability. Initially, Google dismissed the issue, stating the system was “working as intended.” However, after further scrutiny, the company has reportedly acknowledged the problem and is now working on a fix.
Leave a Reply