Google Apps for Work working for phishers?

Phishers may take advantage of a security flaw in Google that a hacker recently discovered. This could allow anyone to send emails that appear to be from legitimate companies’ domain names.

Here’s how it works … 

Hackers can register any domain that hasn’t already signed up for Google Apps for Work, for instance (provided xyzcorp hasn’t already registered with the service) according to Hacker News.

The hacker wouldn’t be able to send or receive emails from this address except to access a page to send sign-in instructions to other users.

In that case, all phishers would have to do is send a page to the users that contains phishing bait, such as  fake sign in page. Users who were carefully reading the “FROM” line of the email would see it’s from an admin at a trusted domain and may be willing to respond with their credentials.

Partial fix in place

Google’s fix so far has just been to change the FROM address from admin@xyzcorp to a no-reply email address from Google.

But this is a good reminder that as long as there’s money to be made phishing – and boy, is there ever – hackers will find a way to impersonate and replicate legitimate email senders.

The age-old steps are the only ways to make sure users are safe:

  1. Warn them not to give away any sensitive information over email
  2. Advise them to make sure the person they’re sending information to is actually who they claim to be, and
  3. Avoid clicking on any attachments that they haven’t specifically requested.