...
...
Next Story

New Gmail scam alert: It’s hard to spot and Google is rushing to fix it

Hackers have devised a sophisticated method of scamming users, using official emails to fool you. Here's the full story.

Published on: Apr 21, 2025 10:50 AM IST

Time and again, people have fallen victim to phishing scams via email. These scams use sophisticated methods to target individuals by sending convincing emails that often lead people to reveal their personal information. One way to identify these phishing attempts is through the source the email originated from. For example, if it’s an email from Google, it usually comes from noreply@google.com. But what if we told you there is a new, highly sophisticated phishing scam doing the rounds? One that can even bypass this?

Google has confirmed that the company is working on a fix for this vulnerability. (Unsplash)
Google has confirmed that the company is working on a fix for this vulnerability. (Unsplash)

Shaurya Sharma is the Technology Editor at Hindustan Times Digital Streams, where he oversees technology coverage across digital and social platforms. With over eight years of experience across editorial, video production, and digital media, his work focuses on smartphones, AI, consumer gadgets, and shaping audience-first content strategies for modern tech consumers.

He began his career in 2018 as a fashion cinematographer before turning his lifelong passion for technology into a profession. From spending his childhood immersed in tech magazines, video games, and the latest gadgets to covering the global consumer tech industry today, technology has remained a constant throughout his journey.

Over the years, Shaurya has worked with some of India’s leading media organisations, including CNN-News18, Sportskeeda, and Guiding Tech, where he led video initiatives that combined strong editorial storytelling with engaging visual and social-first execution.

A graduate in Journalism and Mass Communication from Manipal University, Shaurya has reviewed hundreds of products across categories including smartphones, laptops, gaming consoles, cameras, and wearables. Beyond work, he is passionate about animal welfare, environmental causes, and automobiles, particularly turbo-petrol cars

Read moreRead less

This scam came into the spotlight after a software developer, Nick Johnson, was targeted by an “extremely sophisticated phishing attack,” as he describes it. In this case, the email came directly from Google or so it seemed. Even security tools gave it a green signal, confirming that the email was indeed from a legitimate Google source.

Also Read: Nothing Phone 3 tipped to launch on July 25: Here’s what to expect from the upcoming device

Details

Naturally, you might be wondering, how could hackers get access to Google’s security account, so that they could send emails?

Johnson explains that the hacker used advanced tricks. When he clicked on the link, it led him to a sign-in page, but the difference was that the website URL showed sites.google.com instead of accounts.google.com.

This was possible because the attackers were using a “legacy Google product”, before the company took security as seriously as it does today, Johnson said.

By using this old product, the hackers were able to host content on a subdomain of google, which supports arbitrary scripts and embeds. Using this method, they could simply create a Google account with a fake domain intended to scam users.

Also Read: ₹78,999">HP OmniBook AI PCs now available for pre-order in India, price starts at 78,999

Google is working on fixing this security loophole

Google has since confirmed that it is working on a fix. Initially, Johnson said that Google did not acknowledge it. However, he was able to convince them to reconsider and address the OAuth issue.

Now, as reported by Newsweek, Google has officially confirmed it is indeed working on a fix. “We're aware of this class of targeted attack from the threat actor, Rockfoils, and have been rolling out protections for the past week. These protections will soon be fully deployed, which will shut down this avenue for abuse. In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns,” the Google spokesperson, as quoted by Newsweek, said.

Mobile finder: iPhone 16 LATEST price, specs and all details

 
SHARE THIS ARTICLE ON