The scheme, according to Johnson’s testimony, kicked off with a persuasive email, seemingly dispatched by an official Google alert, alerting targets to a subpoena demanding their account data. Signed with a genuine DKIM key and originating from Google’s official no-reply domain, the notice sailed past Gmail’s filters and nestled among legitimate alerts.

Johnson observed that its credibility was further lifted by a sites.google.com hyperlink leading to a counterfeit support portal that mirrored Google’s sign‑in page. The developer noted that the ruse leaned on two cracks: Google Sites’ tolerance for arbitrary scripts, which let criminals craft credential‑harvesting pages, and the OAuth weakness.

Attackers registered a fresh domain, opened a Google account, and built an OAuth application whose name duplicated the phishing email’s title. Once a victim granted access, Google automatically generated a security‑alert email—fully signed and legitimate—that the attackers then relayed to their quarry.

Johnson castigated Google for first brushing off the bug as “working as intended,” contending the loophole posed serious peril. The bogus portal’s reliance on sites.google.com further misled users because the trusted domain cloaked hostile intent. Weaknesses in Google’s abuse reporting for Sites deepened the trouble, slowing takedown efforts.

After public pressure mounted, Google pivoted and acknowledged the problem. Johnson later confirmed the tech firm plans to remedy the OAuth defect. The episode illuminates phishing’s growing finesse, exploiting revered platforms to slip past defenses.

Security specialists plead vigilance, urging users to question unexpected legal correspondence and double‑check URLs before typing credentials. Google has not yet issued a public statement on the flaw or its repair schedule. The case exposes the wider struggle against phishing as adversaries increasingly weaponize reputable services.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。