Google is sending the perfect phishing email.

April 15, 2013

This weekend I decided to change my Google account password. In response, Google sent me an email to the account address, notifying me of this fact. The email told me that if I did not change my password (and apparently someone else did it for me) I should click on a link to reset my password. Excellent service right? Until I realised we are all doomed!

Doomed because this is the perfect password phishing email! Send all Google account holders this email, and many of them will click on this link because they (indeed) did not change their password. Let the link point to a website that looks like the genuine Google password reset page. And ask all users to enter their old password before offering to reset it. Then, using the old password just entered, take over the account.

Doomed because I have no clue how to prevent this. Sending the email makes perfect sense to notify people of possibly suspicious behaviour on their account. Offering a link to click makes perfect sense from a usability perspective. But because people hardly ever visit the Google account recovery page, they have no idea what to expect, and will be quite gullible to enter whatever information is asked of them. In fact, they would expect to have to enter a lot of information to prove they are the real owner of the account. So hackers can also ask for a additional information like credit card information as well. (Don't laugh: I've once tried to regain control over an account at Google that someone screwed up and I was in fact asked to supply credit card information... I did not comply and was forced to abandon the account and create a new one).

Embedding some secret information in the account recovery page that the account holder should recognise does not help. Because you hardly ever visit this page, you don't know you should look for this authenticating piece of information. (If, however, this was standard practice for all account recovery pages, this might actually work. But note that in this case the reset link in the email should contain an access token that allows the account reset page to retrieve the secret information from within your account.)

If anybody has an idea, please mention it in the comment section below!

In case you spot any errors on this page, please notify me!
Or, leave a comment.
Kitizl
, 2013-04-15 13:28:35
(reply)

I guess one can look at the email ID they recieved that email from. Instead of accounts.google.com, it might be account.google.com. It’s such a small change that nobody will notice. You have to be aware, I guess….

Jaap-Henk
, 2013-04-15 13:32:43
(reply)

The email ID is easily spoofed, so could be anything. The link people are asked to click on should point to the correct domain. But phishers have many tricks to make it highly unlikely you will spot that you are directed to a fake site… Can you tell google from googIe?

Rolf E. Sonneveld
, 2013-04-15 21:27:37
(reply)

Hi, Jaap-Henk,

to answer your question: yes, we can. Google publishes SPF and DKIM information in DNS. As gmail.com signs all outbound mail with a DKIM signature, one can be sure that the mail is from gmail.com when the DKIM signature verifies.

To summarize DKIM: the sending mail server generates a hash over the body of the message, then this body hash + a number of header fields (From: is mandatory, To:, Subject: etc. are optional) are used to create a DKIM-signature header field using the private key of the sender. This DKIM-signature header then can be verified by the receiving mail server, by looking up the DKIM public key of the sending domain and recreating these hashes.

Phishers are able to abuse the gmail.com domain, but they can’t sign it with the d=gmail.com DKIM signature domain, as they do not have access to the private key of Gmail.

More information on DKIM: http://www.dkim.org More information on SPF: http://www.openspf.org More information on DMARC: http://www.dmarc.org

Jaap-Henk
, 2013-04-15 21:37:38
(reply)

Indeed, assuming that the receiving infrastructure verifies this signature, then “one can be sure that the mail is from gmail.com”. But is a mail server also supposed to reject any incoming email claiming to be from the gmail.com domain that does not have a DKIM signature at all? If not, DKIM is useless. And even if such mails would be rejected, what about mails claiming to come from similar (or otherwise trustworthy looking) domains like googIe.com (the I is a capital i) or googleabuse.com?

DKIM is not a solution to this problem, I’m afraid…

Kitizl
, 2013-04-17 13:35:31
(reply)

I guess if I recieve such a phish, then maybe I’ll let you know…

Kitizl
, 2013-05-20 17:49:17
(reply)

Yeah, it just happened to me. People have IDs like noreply_gmail, so we really do need to watch out, I guess…

/ Frend
, 2013-04-16 08:00:20
(reply)

Nice article. In order to change the password you must known the original password. That is a bigger concern. An option can be sending a verify code to you cellular, if known by Google, needed to change you password.

Jaap-Henk
, 2013-04-16 08:39:52
(reply)

Yes, if you enable two-factor authentication for your account, then you are less prone to these types of phishing attacks. But again note that the original attack I described is one where the attacker hosts a site that pretends to be Google’s password reset page, but in fact isn’t, and is only used to steal your original password.

hank
, 2013-04-18 16:55:54
(reply)

What happens would depend on your reaction to the email. One reaction could be to verify that the password had actually been changed: go to your account and try to log in. Unless your acct. has been already cracked, the old password should work and you might then suspect phishing was involved.

Jaap-Henk
, 2013-04-18 17:27:38
(reply)

Nice! That would indeed work. However this involves training people to do so even if the email itself doesn’t tell them to…

Felipe
, 2013-04-30 14:25:51
(reply)

ChromeSync’s password manager is an option, it will auto-fill the password for you only in the proper domain (and other signals). If you hit the link on the phishing mail, your current login/password will not be auto-filled. This should already raise a flag.