Cointelegraph Bitcoin & Ethereum Blockchain News

What is a Google subpoena scam?

The Google subpoena scam is a type of phishing attack where fraudsters impersonate Google to create a false sense of urgency and fear. 

Typically, you will receive an email that appears to come from [email protected], claiming to inform you of a subpoena, a formal legal request. The email will often have a subject line like “Security Alert” or “Notice of Subpoena,” making it seem urgent and legitimate. These scammers prey on your natural concern about legal matters and data privacy, hoping to trigger a reaction.

Inside the email, the scammers falsely claim that Google has been served with a subpoena requiring the company to turn over your account data, such as emails, documents or search history. The email will then urge you to click on a link to view your “case materials.” This link typically leads to a fraudulent website, often hosted on Google Sites, which is designed to look like a genuine Google support page. This added layer of legitimacy can easily trick users into believing the request is real.

The most concerning part of this scam is that attackers are skilled at spoofing Google’s email addresses and mimicking the company’s official content. By doing so, they can bypass common security checks, such as DomainKeys Identified Mail (DKIM), which normally verifies the authenticity of an email. With this approach, the scam appears convincingly legitimate, making it easy for unsuspecting users to act impulsively — potentially exposing sensitive data or inadvertently installing malware.

Did you know? DomainKeys Identified Mail (DKIM) is an email security standard that verifies whether a message really comes from the domain it claims to be from. It uses cryptographic signatures to protect against email spoofing and phishing attacks — making your inbox just a little safer every day.

How the Google subpoena scam works

Software firm EasyDMARC explained that attackers exploited legitimate Google services to bypass traditional spam filters. They used “OAuth” applications combined with DKIM workarounds to create emails that could fool even careful users.

A DKIM replay attack exploits the way email authentication works, specifically using DomainKeys Identified Mail, which adds a digital signature to an email to verify its authenticity.

Steps of the attack:

1. Attacker receives a legitimate Google email: The attacker intercepts a legitimate email from Google that has a valid DKIM signature, which proves it came from Google.
2. Preparing the replay: The attacker saves this email, keeping the DKIM signature intact, and replays it. Since DKIM checks only the email headers and body (if unchanged), the attacker can forward the exact email with its signature intact without modification.
3. Sending the spoofed email: The attacker then sends this saved email from a different account (e.g., Outlook), making it look like it’s from the original sender (Google).
4. Relaying through other servers: The email goes through multiple servers, each adding their own DKIM signature, but the original Google DKIM signature remains untouched and valid.
5. Final delivery: The email reaches the victim’s inbox, appearing legitimate. Despite being relayed through several servers, the email passes SPF, DKIM and DMARC checks, which makes it look like a valid Google email.

The result: The victim is tricked into thinking it’s a legitimate message, potentially leading to harmful actions like clicking malicious links or providing sensitive information. This type of attack plays on the trust people place in email authentication methods and shows how attackers can exploit them.

Here’s how fake Google emails and DKIM replay attacks trick you:

• Spoofed Google support pages: Clicking the link in the email takes you to a fake Google support page, often hosted on Google Sites, adding another layer of false credibility. The website will urge you to log in to view your “case materials.”
• Phishing for credentials: If you proceed, you’re asked to enter your Google username and password. Once entered, the attackers can gain full access to your account.
• Psychological tricks: Scammers use fear-based tactics — mentioning lawsuits, law enforcement involvement or threats of account suspension. The urgency they create is designed to make you bypass your usual caution.

Did you know? Google Sites lets anyone with a Google account create websites under the trusted “sites.google.com” domain. Attackers exploit this by crafting fake login pages and phishing forms, using Google’s SSL and brand reputation to deceive users into revealing sensitive information.

Key signs you’re facing a Google subpoena scam

Even though the Google subpoena scam is highly sophisticated, there are still clear red…