ENS founder reports phishing scam that fools users with fake subpoena

A recent warning from the founder and lead developer of Ethereum Name Service (ENS) has brought attention to a phishing attack that uses Google’s infrastructure to deceive users into providing their login credentials.

According to Nick Johnson, the attack is particularly effective because it sends a fake alert that appears to be from Google, informing recipients that their data is being shared with law enforcement due to a subpoena.

“It passes the DKIM signature check, and GMail displays it without any warnings – it even puts it in the same conversation as other, legitimate security alerts,” Johnson explained.

The phishing email is sent from what appears to be a Google no-reply domain, which increases its credibility in the eyes of recipients.

Users are prompted to click a link to view case materials or protest the action, which leads to a support page built using Google Sites.

This page is hosted on a Google subdomain, making it look authentic.

“From there, presumably, they harvest your login credentials and use them to compromise your account; I haven’t gone further to check,” Johnson noted.

Despite the convincing appearance, Johnson pointed out certain signs that reveal the scam, such as the email being forwarded from a private address.

Software firm EasyDMARC detailed how the attack leverages Google Sites and the Google OAuth app, allowing attackers to customise the app name and use a domain that mimics Google’s official addresses.

The phishing message successfully passes DKIM signature validation, which means Gmail treats it as a legitimate email and places it in the same thread as genuine security alerts.

“We’re aware of this class of targeted attack from the threat actor, Rockfoils, and have been rolling out protections for the past week. These protections will soon be fully deployed, which will shut down this avenue for abuse,” a Google spokesperson said.

The spokesperson added that Google is shutting down the mechanism that allowed attackers to insert arbitrary text, which will prevent this method from working in the future.

In the meantime, Google advises users to enable two-factor authentication and passkeys for stronger protection against phishing.

The company emphasised it will never ask for private account credentials, including passwords or one-time codes, and will not call users for such information.