A phishing attack involving g.co, Google's URL shortener

372 点作者 zachlatta4 个月前

31 条评论

The biggest scare I've gotten is somehow ending up on "colnbase.com" (instead of "coinbase.com").It's defunct now, but at the time it was a 1:1 replica of Coinbase. And the only reason I noticed was because 1Password didn't offer to fill in my credentials.While knowing someone's email/password combo might not be enough for an attacker to do anything malicious on Coinbase itself (due to email re-verification maybe), the point is that even the smartest of us Hacker News users can fall for it. And that should scare the rest of us.

评论 #42817608 未加载

评论 #42818592 未加载

评论 #42818763 未加载

评论 #42817956 未加载

评论 #42819488 未加载

评论 #42820974 未加载

评论 #42820242 未加载

评论 #42819192 未加载

评论 #42818599 未加载

评论 #42819066 未加载

ebilgenius4 个月前

You can tell it's a scam call immediately because Google has no such thing as "support", let alone an actual "support engineer"

评论 #42821540 未加载

do_not_redeem4 个月前

As usual this started with an incoming phone call. If you ever receive a phone call from a tech company, it's a scam. The caller ID doesn't matter. The caller's accent (wtf) doesn't matter either. It's a scam.

评论 #42816865 未加载

评论 #42817030 未加载

评论 #42820593 未加载

评论 #42818660 未加载

layman514 个月前

This is the same type of phishing attack described here[1]. It’s still surprising to me how the SPF, DKIM, and DMARC all pass. If I remember correctly, it’s because they actually have a clever way od getting Google to send an email to you by sharing a Google Form with you or something like that.[1]: <a href="https://news.ycombinator.com/item?id=42450221">https://news.ycombinator.com/item?id=42450221</a>

评论 #42817250 未加载

评论 #42817762 未加载

评论 #42817204 未加载

aramsh4 个月前

What's even more interesting is there is no DNS records for important.g.co, which means they have found a way to create an Google Workspace without verifying the domain but still able to send emails like password resets.It's definitely a glitch where you can send emails/transactional emails from an unverified Google Workspace. My guess is that their are protections for google.com and google domains but they forgot to add the g.co domain, which allows unverified sending to g.co and creation of workspaces.

nemothekid4 个月前

I'm not sure if it's good thing or not but I've come to consider that any notification about a password being reset or a fraudulent charge is phishing unless I initiate some action.I always verify that I'm actually fucked and then take action. This seems counter-intuitive but the deluge of phishing emails makes me feel this is the safest option. I'd rather wait to notice a fraudulent charge and dispute it, than leak info to a random SMS number that claims (possibly truthfully) that someone in Japan spent $9000 at the gucci store.

评论 #42817491 未加载

renewiltord4 个月前

That's not verifying the phone number. I received a call from Chase about a wire. I asked them for a code so I could continue the conversation and then looked up the phone number on their website and called that and talked through reps till I got to the right department.Caller ID being spoofed is the wrong way to think about this. It's just that if someone walks up to you and says "Hey, I'm Jean d'Eau and I'm President of the US" you don't think to yourself "oh yeah he's definitely President and that's his name".People can always tell you they're whoever they want to be. You can either believe it or go find out if they are.

pavel_lishin4 个月前

I know it's easy to second-guess someone after they've explained that they're describing a scam, but:> The thing that's crazy is that if I followed the 2 "best practices" of verifying the phone number + getting them to send an email to you from a legit domain, I would have been compromised.He didn't follow the first of those best practices. He just looked up a phone number that the caller also read out to him, and didn't call it. And "Solomon" also explicitly told him he couldn't call.I honestly think that at this point, no incoming phone call can ever be trusted.

评论 #42816794 未加载

评论 #42816702 未加载

评论 #42816693 未加载

rekabis4 个月前

> I asked if I could call back a phone number listed on Google.com and she said sure - this number is listed on google.com and you can call back with your case number, but there may be a wait on hold and I might get a different agent. I googled it and sure enough, it was listed on google.com pages. I didn't call back though.This is where a big mistake is. Always, ALWAYS phone or contact back using the company’s official channels. Because if they have sufficient info about you, scammers can make a call sound hella legitimate, but one thing they still cannot do is pick up the company’s phone for them when you phone in. Especially if you call from a hardline, which requires compromising the phone company’s switching equipment.Even my father, nearly 86 with a 5th grade education and slowly sliding into dementia, knows better than to uncritically accept being directly contacted. He’s already short-circuited several scams (of various types) in the last few years by hanging up and phoning back in himself.

评论 #42816646 未加载

评论 #42814964 未加载

评论 #42817424 未加载

评论 #42816602 未加载

gm6784 个月前

What I'm most curious about is how they were able to spoof the email being sent from `workspace-noreply@google.com`. Given the odd phrasing of 'password for important.g.co', perhaps this is some strategy involving creating a 'parallel' account with the same email and making use of it to send an official-looking email as part of the scam?

评论 #42816683 未加载

blevinstein4 个月前

Sounds really similar to my experience a few months ago. I commented here about it.<a href="https://www.reddit.com/r/googleworkspace/s/NtJpputXtg" rel="nofollow">https://www.reddit.com/r/googleworkspace/s/NtJpputXtg</a>There was something in Google workspace that allowed the scanners to have an email sent to them, AND an additional and of their choice. But when I asked about calling them back, I was told that wasn't possible, which made me suspicious.

rvnx4 个月前

It would be better if Google would react more strongly to such attacks.-> There is a sophisticated one where you can take over an account via the Account Recovery flow, that is still actively abused; tried to report, got "not a bug, triaging as abuse risk"

idlephysicist4 个月前

Anyone that get’s a telephone call from “Google” should be immediately suspicious. I used to work for a company that paid GCP about as much as my annual salary _every_ month, and we still struggled to get GCP on the phone when we needed assistance.

评论 #42820412 未加载

llm_nerd4 个月前

Totally unrelated, beyond being another Google service, but what's with Google's AppSheet being used for so many phishing emails? How does Google not predict this abuse and prevent it?Now to be fair they all end up in the spam folder, but these are emails sent from noreply@appsheet.com (SPF passing and originating from a Google IP), albeit with a phishing FROM name like "Meta for Business". I have hundreds of these in my spam folder, telling me that my Meta campaigns (I don't have any Meta campaigns and don't interact with that business at all) have been suspended, etc, clearly hoping to takeover someone's Meta business account.Like when Google's Calendar invites were massively used for spam, I just don't understand how that company rolls out services and doesn't foresee the malusage.

kilroy1234 个月前

Extremely scary. This is way above and beyond most phishing attacks. Obviously, this guy is being targeted for some reason or another. I worry about such attacks being automated at scale with AI tools.

berkes4 个月前

I have been using a catchall mailbox with hostname type names for over a decade now¹So, com.example.shop@example.org for <a href="https://shop.example.com" rel="nofollow">https://shop.example.com</a> account(s). I've recently switched to a randomized username part, as bitwarden supports this well.This has saved me numerous times from scams². Because scammers would email me on the wrong address. Either they'd mail me on an adress listed on my website, when the actual company would've mailed on the unique address I gave them (more targeted phishing). Or they'll mail me on an address that I know to be leaked (these are redirected to spam in filters).I am convinced there's an actual solution to a lot of scamming here, if the UX and UI are carefully designed. To be used by "muggles", not just the crowd that knows things like filters and catch-alls and plus-appended etc. It's a pity Google, Microsoft or even proton aren't actively promoting such a "unique mail for every service". But I guess there's little in it for them.¹ used to self host, but now that's near impossible with the monopolies on mailserves at big tech and moved to mailbox.org. big shoutout!² aside from the other great benefit. I'm often one of the first to know some service or site was compromised by receiving scam, spam etc. A few times I was even the one to report a breach to such an org via this.

评论 #42820489 未加载

internetter4 个月前

To all the people criticizing OP, 5 million people are victims of phishing attacks every year. This attack is more sophisticated than 99.99% of them. Cut OP some slack.

评论 #42817381 未加载

评论 #42817517 未加载

croemer4 个月前

This is the LinkedIn profile the attacker referred to as his: <a href="https://www.linkedin.com/in/solomon-aborbie-jr-6b0a32155/" rel="nofollow">https://www.linkedin.com/in/solomon-aborbie-jr-6b0a32155/</a> (Solomon Aborbie Jr) - the CV seems to check out with this Bowdoin video: <a href="https://www.youtube.com/watch?v=0n_vHGLDMtM" rel="nofollow">https://www.youtube.com/watch?v=0n_vHGLDMtM</a> - so likely real and the attackers did "identity theft".Starting at 1:58 here: <a href="https://cloud-3s03ljpcy-hack-club-bot.vercel.app/0call_recording.m4a" rel="nofollow">https://cloud-3s03ljpcy-hack-club-bot.vercel.app/0call_recor...</a>

评论 #42822420 未加载

adrr4 个月前

How did they send an email from google.com that passed DKIM and SPF? Thats a huge concern.

评论 #42817173 未加载

sethops14 个月前

> Someone named "Chloe" called me from 650-203-0000Nope. Rule #1 in today's environment is never pick up the phone. If you're not expecting the call they can leave a message. And if it's something you think is legitimate, get the authentic number from a reputable source.

james41513 个月前

I appreciate Spyrecovery36 for making me realise the truth to a certified hacke r who knows a lot about what his doing. I strongly recommend you hire him because his the best out there and always delivers. I have referred over 10 people to him and all had positive results. He can help you hack into any devices, social networks including – Facebook, Hangout, iMessages, Twitter accounts, Snap chat , Instagram, Whatsapp, wechat, text messages ,smartphones cloning ,tracking emails and also any other social media messenger or sites. It’s advisable to hire a professional hacker. Thank me later. Contact him here.spyrecovery36 @ gm ail c o m

throwpoaster4 个月前

URL shorteners are a massive security hazard.

评论 #42817507 未加载

beshrkayali4 个月前

> The thing that's crazy is that if I followed the 2 "best practices" of verifying the phone number + getting them to send an email to you from a legit domain, I would have been compromised.The best practice I live by is always call them back yourself. Looking up the phone number is not the same.

ElijahLynn4 个月前

How is call spoofing allowed by telcos? Is it a technical limitation that let's this happen?

评论 #42818189 未加载

philfreo4 个月前

Can someone explain point #9 in the gist? How’d they know part of the two factor code?

评论 #42816615 未加载

评论 #42816588 未加载

评论 #42818604 未加载

jostmey4 个月前

Someone tried something very similar on me last month to steal my google account. Honestly, I almost fell for it. The giveaway was how desperate the caller was for me to complete the last step

gsuuon4 个月前

I'm confused, is he saying that the other voice on the call is google assistant voice ai? Or the assistant just routed the call through the google number?

arccy4 个月前

unless thinks they own important.g.co, they've just walked past some glaring red flags, it doesn't even mention their domain in the email.

vednig4 个月前

This is becoming a growing cause of cyberattacks recently, the domain expiry being used by malicious entities to gain access to systems

yread4 个月前

The business/answers page with the number is about calls from Google Assistant and (now?) explicitly says it's not about calls from the support. That would be this page<a href="https://support.google.com/business/answer/6212928?hl=en" rel="nofollow">https://support.google.com/business/answer/6212928?hl=en</a>Disappointingly, it only says how to identify automated calls from Google, it doesn't offer a protocol for verifying actual humans from Google calling you. Perhaps it happens so rarely you can just assume it's not Google.

throwaway484764 个月前

Like with the recent homebrew attack Google Google has shown itself to be a malware services company.