It’s a digital wolf in sheep’s clothing.

Phishing messages are becoming harder to spot as they mimic legitimate communication more closely. Some experts are now warning about an extremely “sophisticated” scheme that impersonates Google in order to steal user accounts through fraudulent Gmail messages.

Nick Johnson, the lead developer of Ethereum Name Service (ENS), brought this digital Trojan Horse to light in a series of X posts.

One individual shared their experience of being targeted by this highly deceptive phishing attack. They emphasized the deceptiveness of the scheme, pointing out that it takes advantage of a vulnerability within Google’s system. Despite being aware of this issue, Google has yet to address it, making it a growing concern.

In this case, the phishing scam was disguised as an official request by law enforcement.

The fraudulent message claimed to be notifying the recipient of a subpoena sent to Google LLC by law enforcement. It requested the recipient to review the case details or raise objections through a provided link to Google Support Case. This type of manipulation aims to deceive users into unknowingly giving away their account information.

Upon clicking on “upload additional documents” or “view case,” the user is taken to a sign-in page to input their credentials, whereupon bad actors will presumably use them to commander their account.

“I haven’t gone further to check,” Johnson noted.

The correspondence was particularly insidious as it linked to a very convincing ‘support portal’ page.

The cyberspoofers also used Google Sites — a free web-based platform for creating websites without needing coding skills — “because they know people will see the domain is and assume it’s legit,” said Johnson.

To make things more confusing, the email originated from an official no-reply on Google’s domain and was filed “in the same conversation as other, legitimate security alerts,” the tech whiz warned.

How did the hackers manage to fly under the radar? Johnson pointed to “two vulnerabilities in Google’s [infrastructure] that they have declined to fix.”

He wrote that the legacy sites.google.com product dates back to “before Google got serious about security,” and allows anyone to host content on a google.com subdomain, including nefarious embeds and scripts such as the above.

“Obviously, this makes building a credential harvesting site trivial; they simply have to be prepared to upload new versions as old ones get taken down by Google’s abuse team,” Johnson said.

Fortunately, there are a few ways to suss out this masquerade.

For one, while the header is signed by accounts.google.com, it is sent via privateemail.com and sent to the address “me@blah,” the cybersecurity maven wrote.

Also suspect, per Johnson is that there is “a lot of whitespace” below the phishing message “followed by ‘Google Legal Support was granted access to your Google Account’ and the odd me@… email address again.”

In light of the incident, Johnson is calling on Google to disable scripts and arbitrary embeds in Sites to make Gmail less susceptible to phishing.

The Post has contacted Google for comment.