SENDING PHISHING MAILS FROM HIJACKED ACCOUNTS
Cyber security researchers Patrik fehrenbach
and Behrouz sadeghipour found
that an attacker can register any unused (not previously registered with Google apps service) domain, example: bankofanycountry.com
with Google apps for Work to obtain 'firstname.lastname@example.org
But obviously, Google would not let you access email service for 'email@example.com
', until domain verification
has been completed, which means neither you can send any email from that account, nor you can receive.
However, the duo explained that there is a page on Google apps that allows domain admin to send 'Sign in Instructions' to the organization users i.e. firstname.lastname@example.org (must be created from panel before proceeding) by accessing following URL directly on the browser.
Using the compose email interface, as shown, an attacker could send any kind of phishing email containing malicious link to the target users, in an attempt to trick them into revealing their personal information including passwords, financial details or any other sensitive information.
BEFORE SECURITY PATCH
As shown below, researchers successfully obtained email@example.com (acquired by Twitter) and send a mail to victim, contains a subject: Welcome to Twitter, which can convince users into submitting their Twitter credentials to the given phishing pages.
Researchers reported this security and privacy issue to the search engine giant, and the company has applied, what I think, a partial patch to the flaw. As, it is still allowing an attacker to access ‘Send Sign in Instructions’ for unverified domains, but this time via firstname.lastname@example.org, instead of the custom email address.
In an email conversation, Behrouz told , "Google believes that showing the sender as apps-noreply is good enough."
AFTER SECURITY PATCH
But, the consequences are still the same because it won’t stop hackers from targeting victims.
Generally, Google automatically helps identify spam and suspicious emails and mark them as spam or phishing warnings, like they're from a legitimate source, such as your bank or Google, but they're not.
However, by abusing above Google vulnerability, hackers could send phishing emails right into your inbox with no warning as the email has been generated from Google’s own servers.