+7 (777) 001 44 99
Қазақша
Русский
English
Қазақша
Русский
English
Tengrinews.kz – Google has issued a serious alert, warning its 1.8 billion Gmail users about a new type of cyberattack exploiting its own infrastructure to steal personal data. The threat was first flagged by Ethereum developer Nick Johnson, who narrowly avoided becoming a victim himself.
According to Johnson, attackers are using Google’s Sites platform to host realistic phishing pages and send emails that appear to be from official Google addresses. The scam email he received claimed he had to appear in court and provide access to his account. The email seemed legitimate at first glance - passing Gmail’s DKIM security checks and landing in the main inbox with no warnings.
However, the email redirected him not to accounts.google.com, but to a sites.google.com page that mimicked Google's support portal. Once on the site, clicking 'View Case' or 'Upload Documents' led to fake login pages designed to harvest users' Gmail credentials.
“This email looked so official, even seasoned users could fall for it. If I had entered my details, my account could’ve been compromised instantly,” Johnson warned.
Google confirmed the targeted attack and said the loophole has since been closed. The company emphasized the importance of enabling two-factor authentication (2FA) and using strong, unique passwords.
“We’ve implemented additional protective measures and urge all users to stay vigilant,” the company said in a statement.
Why this attack is dangerous
Hackers chose Google Sites as a delivery tool because the domain google.com automatically inspires trust. This makes phishing links harder to detect - especially when messages pass all security checks.
Experts warn that phishing attempts often contain signs such as:
- Generic greetings instead of personalized names,
- Urgent requests to take action,
- Suspicious links or attachments.
Google reminded users of the following key points:
- It never asks for passwords, verification codes, or personal information via email.
- It never sends push notifications demanding identity verification.
- If you receive a suspicious message, never click embedded links—open the site manually in a separate tab or window to verify it.
For added security, Google recommends using passkeys, which are tied to your specific device and cannot be reused by hackers even if stolen.
As phishing attacks grow more advanced, cybersecurity experts urge users to treat every unexpected message with caution - even those that appear to come from trusted sources.
