Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
oefrha 2 days ago

This is a very confusing read. It gives the impression that the attacker managed to manipulate the email body to insert their phishing link, by talking at length about how the sites.google.com link is suspicious (of course it is, no doubt about that). But at the same time, they don’t say or show evidence that the body was manipulated; in fact quite the opposite.

My understanding is that the DKIM signature contains a bh= field with a hash of the email body. While you can technically also include an optional I= field to limit the body length for hashing, so that an attacker can append to the body, which is a pretty big security hole, it’s probably never used by Google for such short emails (I checked some of my own emails from no-reply@accounts.google.com and they certainly don’t have I=). Therefore to pass DKIM and DMARC the body had to be intact, so the “phishing link” was actually from Google, just intended for a different recipient.

If my analysis is correct then TFA really is a lot of words to say a scary email was forwarded to wrong people to scare them. Scary of course, but much less scary than the “DKIM replay attack” title implies to technical people who are not deep into this subject.

Edit: Oh, I thought “The Takeaway?” was the end of TFA since it had CTA for their product. Apparently there’s an update below explaining the link was actually part of a Google OAuth app name which was then inserted into Google’s email template. Terrible writing and structuring of the article, burying arguably the most important part of the attack that made it somewhat convincing, and misleading readers to believe the attack can be used to send arbitrary content.

Edit 2: Other commenters pointed out that the screenshot of the email is conveniently cut off so the fixed part of the Google email template isn't shown. The attack is probably even more clumsy then it seems from the quite deceptive crop.

monospacegames 2 days ago | parent | next [-]

I agree, the article is intentionally deceptive. It's written to make people think the part of the mail shown in the image is the whole email when in reality it's definitely followed by some text that would raise suspicion in any person.

dylnuge a day ago | parent | next [-]

And from what they do show, it doesn't look like the sites.google.com link was actually clickable, which will reduce the success rate of the attack substantially. I'm not sure if it's not clickable because the OAuth App Title field that the phishing contents is put in won't produce clickable URLs, because the email itself has been flagged by Gmail as suspicious and disabled links, or possibly both.

From what we do see we can also clearly see the "forwarded message" details are present at the top of the email. Then the author writes that the email has "no typos" while ignoring that it has very suspicious formatting. It's still likely people will fall for it, but the article author clearly is being deceptive about how sophisticated this attack actually appears.

notepad0x90 a day ago | parent | prev | next [-]

Most people, even those looking out for something suspicious will let their guard down once they are convinced it is from a trusted and known source.

atoav a day ago | parent | prev [-]

> some text that would raise suspicion in any person

As someone who worked in IT-support I have to say this sentence is doing a lot of heavy lifting. I have seen people click on shadier things that looked much less credible. In fact I have seen the same people do it multiple times, even after it has been explained to them, multiple times and they have experienced consequences in the form of locked accounrs and the likes.

Real world users can be magnitudes dumber than you think they would be, even if they otherwise simulate the appearance of functional adults.

I have seen people who have a problem click away error dialogues with the explaination of the problem without reading the text. When asking what they clicked and why, they couldn't tell you if their life depended on it.

monospacegames a day ago | parent [-]

Yes, but my point is that the article is constructed in a way that deliberately obfuscates that there is unrelated text following the phishing message (quoting my initial comment: The full email is definitely in the format "scary text here" "actual google message", so something like "Give us all your money or die has been created as a google app")

This led to the initial response here being quite frantic (some people even claiming that DKIM is now pointless) because presumably not everyone read the article to its very end where the actual explanation is, and then went back to the first image to realize that the author has been intentionally misleading to sell their cybersecurity services.

bootsmann 2 days ago | parent | prev [-]

Yeah from what I understand the DKIM is checking out because they are literally forwarding an actual email they got from Google. The real attack vector is being able to coerce Google to send you an email whose text you control.