The biggest scare I've gotten is somehow ending up on "colnbase.com" (instead of "coinbase.com").
It's defunct now, but at the time it was a 1:1 replica of Coinbase. And the only reason I noticed was because 1Password didn't offer to fill in my credentials.
While knowing someone's email/password combo might not be enough for an attacker to do anything malicious on Coinbase itself (due to email re-verification maybe), the point is that even the smartest of us Hacker News users can fall for it. And that should scare the rest of us.
So so true. 1Password refusing to auto fill a password has saved me multiple times in the past! Also, one of my friends has a PhD in literally rocket science (aeronautical engineering from MIT) and got scammed by someone who stole his brother's SIM card and did some shenanigans. No one is safe, no matter how smart or tech savvy you think you are! For the less tech savvy folks, I understand why they are scared, it's hard to give them even general tips to not lose the farm to fraudsters.
Don't trust incoming calls, text messages or emails.
Don't trust caller ID on your phone.
If someone calls you asking for information or to do something, ask for a case id or reference number. Hang up, call back on a number you get from a previous bill, back of your credit card, or by googling the company.
If anyone is pushing for something to be done urgently, stop. Hang up, don't take any action. Call a trusted other person and talk to them about it.
> Don't trust incoming calls, text messages or emails.
> Don't trust caller ID on your phone.
And if you're anyone of moderate fame, importance or cryptocurrency holdings, call back using a phone other than the one you received the call from. SS7 attacks remain relatively cheap , and redirecting an outgoing phone call placed to a phone number they know you're likely to call next is within the realm of feasible attacks.
I recently saved a friend from getting scammed when she wanted to buy an audiobook, we wanted to avoid Audible because of the DRM and limited device selection.
The first few results she got were some shady services offering really good deals. I looked them up on trustpilot and they weren't outright scams, but they aggressively pushed you into getting an expensive monthly subscription that was basically impossible to cancel.
I have an entirely seperate phone and SIM for any service I think is important which demands a phone number. (prepay, I top it up by €5 every few months. Sadly I can't automate that)
I generally refuse to give any number if I can help it. I can count on one hand the number of unsolicited calls/texts I've gotten.
I know that "rocket scientist" has been a standin for "smart person" or "genius", but in this case, I would be more surprised if a computer security expert (various job titles) had been scammed, because it's their job to be up on this stuff.
How often does a rocket scientist deal with computer viruses, or phishing emails, etc compared to a security expert? Most of the time, their IT security expert (ideally) stops it before it gets to them..
I may be more qualified then, I work in fraud. I accidentally called a fake airline number to get a refund for a Delta ticket and happily gave the guy my credit card for some such fee. If requiring a credit card fee to get a refund isn't a red flag, I don't know a better one. To be fair, my sister had found the number and three way joined me in because I was helping her buy the ticket. So an extra rule: don't even trust a phone number someone you know found because /they/ might have been the first victim and passing compromised information to you.
> Also, one of my friends has a PhD in literally rocket science (aeronautical engineering from MIT)
One of my friends is a nuclear physicist from TU Delft and they somehow managed to install a fake clone of Chrome haha. Somehow never got their accounts broken into or money stolen.
Physical SIM cards should _always_ have a strong PIN set. It baffles me how many people either don't have a PIN or it's just set to 0000. You're basically handing over your whole digital life away to anyone who gets their hand on your SIM card.
I nearly lost an account because I assumed that 1Password was just being dumb not offering to auto-fill credentials. Turns out I'm the dumb one for doubting it.
Now if 1Password shows nothing to auto-fill I make damn sure I'm on the right site.
> the only reason I noticed was because 1Password didn't offer to fill in my credentials.
Nice, I always hope this will save me but I never landed on such a phishing site. How did it happen for you?
About domain-based autofills, perhaps less so now than 5-10 years ago: it always seemed weird that the whole security industry seemed to say these plugins, or the browser's built-in password store, are dangerous because there were past vulnerabilities and any website you visit can exploit it. The way I see it: vulns get fixed, I just need to not be in the 1st wave of persons they target (risk type: plane crash, very small odds but sucks to be you); receiving phishing emails or messages happens constantly and apparently it works well enough to continue doing it and evading filters constantly (risk type: car crash, can happen and they get only the creds for the website being autofilled). Would recommend to anyone who then realises something is up when the autofill doesn't work, but ideally would have more evidence to back that up
One of the worst parts of using a oassword manager is that apps and websites don’t by default share their credentials. I could totally see me getting caught by a shady link to a website of an app that I use but because I’ve never logged into the website, 1Password makes me search for it.
My friend was not smart as you, and religiously typed password on a fake Amazon website link clicked from an SMS promising a refund on recent purchase. Stopped only when it asked for 2FA code because there was no 2FA setup.
> The biggest scare I've gotten is somehow ending up on "colnbase.com" (instead of "coinbase.com").
You might want to install some browser extensions to block content. Then block all content (set to whitelist) and selectively add the sites you know.
If you end up on a new site with some amalgamation of letters that look familiar, the extension will rightfully block it and prompt you whether you want to whitelist or not. Big ole' red flag right there.
Of course it's not foolproof. It is just another layer in the strategy of defense-in-depth.
> This is such a waste of time to do this for every single site!
That's your opinion. But it works for me and doesn't take much time at all to wield.
> Especially when it's easier to rely on the password manager in cases like this
Passwords aren't the only thing this helps guard. Password manager won't prevent the site from loading in the first place. So if that site delivers malware then your password manager won't help you.
That's your opinion that it works for you, but more importantly, that it would work for others instead of teaching them to automatically click "yes" after clicking a link to a site they want to visit after having to do this hundreds of times for all those hundreds of sites they had to visit before, so a supposedly big red flag could be nothing more than one of those brown cookie gdpr annoyances
What I do is a greater waste of time -- I have a separate browser profile for each individual site that I might log into, and javascript is only whitelisted for that one site in that profile. It's a real pain because whenever my browser adds a new config option, I have to update the settings in each of the ~20 profiles.
It has saved me a few times where some rogue javascript tries to redirect me to some unexpected site, and the destination site simply doesn't load.
dude
what
how do you have so much free time
my lazy ass just has ublock origin with some lists enabled that my even more techbro help me set up and it automatically stops me from visiting suspicious websites
this feels like way too much work
I just want every new machine to have my extension settings, but then it's four hours later and I'm trying to check if some policy file was obsoleted in version 60
As usual this started with an incoming phone call. If you ever receive a phone call from a tech company, it's a scam. The caller ID doesn't matter. The caller's accent (wtf) doesn't matter either. It's a scam.
If the consequences for letting that call go to voicemail are any less severe than full account takeover by a script kiddie, you're still better off never picking up.
Google in particular is famous for making it impossible to contact a human. If Google calls you, before picking up, consider whether you truly believe you're lucky enough to be one of a handful of people in the world to ever get human support from them.
I've spoken on the phone with humans in Google support. (You, too, can do this, just pay them enough.) However, they called me after I filed a support case and specifically requested a call, and they started off by mentioning the number of the case I had filed.
If you ever get a cold call from "Google Support", it's basically guaranteed to be a scam.
After I got Google Glass in 2013 as one of 8,000 "Explorers" I was given a support telephone number that was always quickly answered by a Google employee knowledgeable about Glass.
You still always assume an incoming call is a scam no matter what. Hang up, look up, call back, in that order.
Very occasionally you might be making some poor customer support person's job harder, but the vast majority of the time you'll be hanging up on a scammer. You can be polite about it, but firm and brief. "It's my policy to always call back no matter what, nothing personal."
The problem is verifying which number is correct. In most cases it's pretty easy. Bank? Call the number on a debit card. Google? Good luck even finding their number.
But I do agree with you. They can leave a message and a way to contact back if its important and I can take my time doing research. The urgency part is what's caught so many high profile people off guard.
Low-margin businesses always have bad support, and there's nothing you can do about it.
High-margin businesses usually have passable or good support. If your vendor of choice does not, you have chosen the wrong vendor and should switch. There are other options that do a better job.
I do this for any inbound call, unless the caller id is someone in my contacts it can go to voicemail. If it's important they either leave a voicemail or keep trying, for repeated calls I will answer but with skepticism.
If they are in my contacts I will recognise their voice.
I regularly get phone calls from Google because I helped a friend with their ad account once. No matter how many times I tell them not to call they eventually find a new number to call me from. They are legit calls. Google just won't take no for an answer.
This is the same type of phishing attack described here[1]. It’s still surprising to me how the SPF, DKIM, and DMARC all pass. If I remember correctly, it’s because they actually have a clever way od getting Google to send an email to you by sharing a Google Form with you or something like that.
> Hack Clubbers have determined that this is almost definitely a bug in Google Workspace where you can create a new Workspace with any g.co subdomain and get it to send some emails without verifying that you own the domain.
Seems like this is the flow:
1. Create a Google Workspace with a g.co subdomain. Apparently this is not verified, or verifying the domain is not necessary for the next steps.
2. Create an account for the victim under this Google Workspace.
3. Reset that account's password.
The victim gets an email from Google Workspace informing them that their password was reset. And this email is a real, legitimate (not spoofed) email from Google because it's just a result of the normal password reset process for a Google Workspace account.
We have all this verification on the Web, but not the phone. Why do telcos allow for spoofing? We wouldn't allow that with email. Is this a technical limitation that allows for spoofing?
We have had phone company employees here explaining that their company makes a lot of money from scammers/spammers/etc so they do not have an incentive to stop it.
What's even more interesting is there is no DNS records for important.g.co, which means they have found a way to create an Google Workspace without verifying the domain but still able to send emails like password resets.
It's definitely a glitch where you can send emails/transactional emails from an unverified Google Workspace. My guess is that their are protections for google.com and google domains but they forgot to add the g.co domain, which allows unverified sending to g.co and creation of workspaces.
I'm not sure if it's good thing or not but I've come to consider that any notification about a password being reset or a fraudulent charge is phishing unless I initiate some action.
I always verify that I'm actually fucked and then take action. This seems counter-intuitive but the deluge of phishing emails makes me feel this is the safest option. I'd rather wait to notice a fraudulent charge and dispute it, than leak info to a random SMS number that claims (possibly truthfully) that someone in Japan spent $9000 at the gucci store.
Agreed. I do not follow any links, accept calls, etc. I go to the site of origin and do what I need. Also be careful if you search for the sites name on Google, still might click a fraud site!
That's not verifying the phone number. I received a call from Chase about a wire. I asked them for a code so I could continue the conversation and then looked up the phone number on their website and called that and talked through reps till I got to the right department.
Caller ID being spoofed is the wrong way to think about this. It's just that if someone walks up to you and says "Hey, I'm Jean d'Eau and I'm President of the US" you don't think to yourself "oh yeah he's definitely President and that's his name".
People can always tell you they're whoever they want to be. You can either believe it or go find out if they are.
I know it's easy to second-guess someone after they've explained that they're describing a scam, but:
> The thing that's crazy is that if I followed the 2 "best practices" of verifying the phone number + getting them to send an email to you from a legit domain, I would have been compromised.
He didn't follow the first of those best practices. He just looked up a phone number that the caller also read out to him, and didn't call it. And "Solomon" also explicitly told him he couldn't call.
I honestly think that at this point, no incoming phone call can ever be trusted.
I don't even know where the idea that those are the best practices came from.
The phone number best practice has always been constructed as "call them back at a known good number, preferably one written on paper or on your card". You certainly don't ask them to show you where on the company website the phone number is listed.
And asking the person on the phone with you to send you an email from a specific domain is likewise not something I've ever seen recommended: that's one of several things you check to see if an email is phishing (And only one of several! A good domain isn't enough to clear an email!) But if you're already on the phone with someone suspicious, the best practice has always been to get off the phone with them immediately and call a known number, not to ask the caller to prove themselves.
None of this is to blame OP for misunderstanding, it's just very clear that we need to do better at communicating these rules out to the world.
They can't. And they haven't been for a while. Spoofing phone calls is simply too easy, and nothing is being done to fix that, despite the fact that it puts so many of us at risk. It's not an insurmountable problem, technologically. It is literally a lack of will and outcry from ordinary people, despite how often this fact is used to abuse so many.
Credit Card companies have known this for a long time. My credit card company will call and say "do not call back to this number, call the number on the back of your card and use this reference number".
Telecoms know if a number is spoofed or not. All I want is for them to wholesale steal the original Twitter "verified" check, and use it to confirm that a call is not spoofed.
The originating provider knows, but do providers downstream know? If AT&T receives a call from $MadagascarPhoneCorp who indicates the call is officially from $IndiaPhoneCorp, can AT&T trust that?
>The STIR system aims to add information to the SIP headers that allow the endpoints along the system to positively identify the origin of the data. This does not directly prevent the ability for a robocaller to spoof a caller ID, but it does allow upstream points to decide whether or not to trust that ID
I'd argue the second one was not followed either. Maybe I'm misunderstanding the article, but I would not take a random "your password has changed" as proof. I would need the caller to send me an actual email from their personal work email address (or ticket system?) with some actual, human communications in it.
> I asked if I could call back a phone number listed on Google.com and she said sure - this number is listed on google.com and you can call back with your case number, but there may be a wait on hold and I might get a different agent. I googled it and sure enough, it was listed on google.com pages. I didn't call back though.
This is where a big mistake is. Always, ALWAYS phone or contact back using the company’s official channels. Because if they have sufficient info about you, scammers can make a call sound hella legitimate, but one thing they still cannot do is pick up the company’s phone for them when you phone in. Especially if you call from a hardline, which requires compromising the phone company’s switching equipment.
Even my father, nearly 86 with a 5th grade education and slowly sliding into dementia, knows better than to uncritically accept being directly contacted. He’s already short-circuited several scams (of various types) in the last few years by hanging up and phoning back in himself.
This used to not be safe though, in the age of landlines.
I forget the details, but most of the country was wired in a manner that both parties of a call had to hang up to end the connection.
You might hang up, go find the official phone number, but when you pick the phone off the cradle you would still be in the previous call. They could fake the dial tone and you would be none the wiser.
I remember pranking friends with this back when I was young. Harmless stuff.
I think this was in crossbar switches. The initiator of the call had to hang up for something like 8 seconds.
This was useful if they called you and you answered in the kitchen, but wanted to run to another room to talk. Not that I think it was designed to be a feature! But I used it that way.
If you didn't trust the caller, you could hang up, wait 10 seconds, then get a good clean real dial tone. Remember dial tones?
Anyway none of this is relevant in modern switching systems, much less cellular networks.
Thanks for that bit of history. I seem to remember form previous conversations with people that this was not the standard for all of America. Probably something related to east cost vs west coast.
More likely population density/growth in the region. Most of the US was all Bell System at the time.
If the area was urban, or growing quickly (adding new phone subscribers), they'd get the newer electronic (ESS) switches first, starting around the early 1970s.
If the area was suburban and population-stable, the electromechanical crossbar switches would live on for another 20+ years.
There were some rural parts of the US using even older Strowger/SxS switches until the mid 1980s at least, probably later!
There's a great story about the development, by a Mr. Strowger, of the first electromechanical telephone exchange switch. Previously, calls were connected manually, by operators. Mr. Strowger was an undertaker, and he believed that the operators were sending callers to his competition unfairly. So he invented an automatic switch to remove the human element.
> There's a great story about the development, by a Mr. Strowger, of the first electromechanical telephone exchange switch. Previously, calls were connected manually, by operators. Mr. Strowger was an undertaker, and he believed that the operators were sending callers to his competition unfairly. So he invented an automatic switch to remove the human element.
I’ve heard this one before. Wasn’t the wife of one of his competitors actually the operator in question?
> This is where a big mistake is. Always, ALWAYS phone or contact back using the company’s official channels.
The problem, and the reason why that scam approach works half the time, is that calling back is a huge PITA these days between 1) endless routing menus or some "smart" AI bot that is f*ing useless (seriously, I have never been helped to my satisfaction by one of those), 2) long long long hold times to get to a human, if you ever do, because every single company is always "expecting greater than usual call volumes" -- wtf? call volume distributions are Gaussian, ok? so adjust accordingly.
What I'm most curious about is how they were able to spoof the email being sent from `workspace-noreply@google.com`. Given the odd phrasing of 'password for important.g.co', perhaps this is some strategy involving creating a 'parallel' account with the same email and making use of it to send an official-looking email as part of the scam?
Most likely they did something like sign up for "important.g.co" in Workspace, then added the target as a user, then reset that user's password, causing Google to send a real, verified, from-Google message.
They can't control the contents of the message, but they used the gmail "+" feature to cram the "case ID" onto the target email they created the Workspace account for, making that seem real.
But how did they MITM the verification code? Was the first two presented to the attacker, and the rest was presented to the email? Or were they able to MITM the whole email/code and just shared the first two to gain trust?
This sounds like they were using the "tap a button on your device" 2FA method (see https://support.google.com/accounts/answer/7026266). Not sure of the details as to how they got to that page in the first place, though the docs say that you can potentially use it to recover your account.
Never trust an incoming call, especially if it's talking about authentication problems you didn't know you had.
Googler, opinions my own (and I'm not an expert in this particular space).
When you use a device to do 2FA, Google will display one code on the logging in device screen and three on the 2FA screen. This is so that the user doesn't just blindly hit accept on the Gmail/YouTube app that hosts the 2FA prompt.
A one in three risk of hitting the wrong button still seems insanely high to me. Why is this 2FA method deployed instead of things like "enter the code here"?
(I know it wouldn't necessarily have stopped this phishing attempt.)
It should be much less than one in three, because the user doesn't get conditioned to "just tap one of the numbers and it goes away". The way to consistently dismiss the interruption is to tap the fourth button labelled something like "what, no, that wasn't me".
Yeah, good point. But I still think it's too much risk to place on a potential errant click.
(I have to admit I haven't used the UI in question, and I can't find a screenshot of it on Google Images. Maybe this is a lot safer than I'm imagining.)
I had it just today, it's slightly worse than I was remembering! The "Cancel" button is way less prominent.
Still, remember this is MFA - at least I'm pretty sure you can't have this as the only way to access your account. An attacker typically needs your password plus you to misclick here.
Unclear why. You have to hit a prompt that says "Yes, this was me" and then pick a button. The approach airplay takes to pair: type in 6 digit code. That seems better to me.
There was something in Google workspace that allowed the scanners to have an email sent to them, AND an additional and of their choice. But when I asked about calling them back, I was told that wasn't possible, which made me suspicious.
It would be better if Google would react more strongly to such attacks.
-> There is a sophisticated one where you can take over an account via the Account Recovery flow, that is still actively abused; tried to report, got "not a bug, triaging as abuse risk"
Anyone that get’s a telephone call from “Google” should be immediately suspicious. I used to work for a company that paid GCP about as much as my annual salary _every_ month, and we still struggled to get GCP on the phone when we needed assistance.
what's wild is when Google Play Music came to Canada where you could upload your music to the cloud, I was able to get phone support for a bug it had with Linux, and they were very helpful
Totally unrelated, beyond being another Google service, but what's with Google's AppSheet being used for so many phishing emails? How does Google not predict this abuse and prevent it?
Now to be fair they all end up in the spam folder, but these are emails sent from noreply@appsheet.com (SPF passing and originating from a Google IP), albeit with a phishing FROM name like "Meta for Business". I have hundreds of these in my spam folder, telling me that my Meta campaigns (I don't have any Meta campaigns and don't interact with that business at all) have been suspended, etc, clearly hoping to takeover someone's Meta business account.
Like when Google's Calendar invites were massively used for spam, I just don't understand how that company rolls out services and doesn't foresee the malusage.
Extremely scary. This is way above and beyond most phishing attacks. Obviously, this guy is being targeted for some reason or another. I worry about such attacks being automated at scale with AI tools.
I have been using a catchall mailbox with hostname type names for over a decade now¹
So, com.example.shop@example.org for https://shop.example.com account(s). I've recently switched to a randomized username part, as bitwarden supports this well.
This has saved me numerous times from scams². Because scammers would email me on the wrong address. Either they'd mail me on an adress listed on my website, when the actual company would've mailed on the unique address I gave them (more targeted phishing). Or they'll mail me on an address that I know to be leaked (these are redirected to spam in filters).
I am convinced there's an actual solution to a lot of scamming here, if the UX and UI are carefully designed. To be used by "muggles", not just the crowd that knows things like filters and catch-alls and plus-appended etc. It's a pity Google, Microsoft or even proton aren't actively promoting such a "unique mail for every service". But I guess there's little in it for them.
¹ used to self host, but now that's near impossible with the monopolies on mailserves at big tech and moved to mailbox.org. big shoutout!
² aside from the other great benefit. I'm often one of the first to know some service or site was compromised by receiving scam, spam etc. A few times I was even the one to report a breach to such an org via this.
Apple has that with their Hide My Email service (included in the iCloud+ subscription at $0.99/month). It nudges you to create a new alias on every form that contains an email field.
The good part is the that aliases are inconspicuous @icloud.com email addresses that don't follow a specific pattern and are thus:
1) Accepted everywhere (contrary to custom domains — which I also have).
2) Are pretty much impossible to detect ahead of time.
————
For illustrative purposes I just clicked several times on the generate new Hide My Email button and it returned those:
These are burner addresses, the vast majority of which I don't care about. If I ever wanted to move away, iCloud conveniently can show me each address, when I created it, and for what site. I could then change my address on the few sites I wanted to retain the account on.
I actually have a domain I setup with Fastmail just for burner addresses, but Apple offers enough additional functionality (easier to use, tracks the site I created it for and when) that I keep using Apple's offering.
To all the people criticizing OP, 5 million people are victims of phishing attacks every year. This attack is more sophisticated than 99.99% of them. Cut OP some slack.
> I asked if I could call back a phone number listed on Google.com and she said sure - this number is listed on google.com and you can call back with your case number, but there may be a wait on hold and I might get a different agent. I googled it and sure enough, it was listed on google.com pages. I didn't call back though.
Emphasis mine.
Also, if a human called me and claimed to be working for Google, I would laugh heartily and hang up the phone. Google doesn’t even have call in tech support, why would they call you for something as banal as a compromised account?
This is about Google Workspace, a higher tier paid account which does include phone support. Equivalent to if someone like your business ISP called you (or someone else who you are a paying customer of, with real phone lines). That being said, it is mentioned that OP doesn't pay for that or Google One.
I am a paying user of Google Workspace, and also run a charity that is a user of Google Workspace with thousands of accounts. The account they were trying to phish was a paid Google Workspace email.
Again, 5 million people fall for phishing. This attack was magnitudes more sophisticated than most. I still get the occasional Nigerian prince scam. They still send them because it still works. Not all of the people who fall for this are stupid. Surely you’ve made mistakes before.
I agree. Easy to Monday morning quarterback opsec but we're human and the best fall for stuff all the time.
A non tech person wouldn't know Google has bad support and is unlikely to call you, that a number and email can be spoofed, etc. And even if 99% didn't fall for it, just 100 calls gets the scammer a victim on average.
It's specifically a password reset email. A Google Workspace admin can send a password reset to any of their users, and it will pass DKIM and SPF. The trick here is that apparently you can sign up for Workspace with a g.co subdomain and, without verifying the domain, can trigger a password reset to be sent.
Yeah they did. They added his email as a secondary email to a Google Workspace user account, with the plus-address-suffix including a "Case ID". Then they reset the password of the user account, triggering this notification.
> Someone named "Chloe" called me from 650-203-0000
Nope. Rule #1 in today's environment is never pick up the phone. If you're not expecting the call they can leave a message. And if it's something you think is legitimate, get the authentic number from a reputable source.
I appreciate Spyrecovery36 for making me realise the truth to a certified hacke r who knows a lot about what his doing. I strongly recommend you hire him because his the best out there and always delivers. I have referred over 10 people to him and all had positive results. He can help you hack into any devices, social networks including – Facebook, Hangout, iMessages, Twitter accounts, Snap chat , Instagram, Whatsapp, wechat, text messages ,smartphones cloning ,tracking emails and also any other social media messenger or sites. It’s advisable to hire a professional hacker. Thank me later. Contact him here.spyrecovery36 @ gm ail c o m
Maybe, but in this particular case the attack has nothing to do with url shortening. The essential elements were google assistant (to spoof caller ID), and google workspace (to send the "case" email).
> The thing that's crazy is that if I followed the 2 "best practices" of verifying the phone number + getting them to send an email to you from a legit domain, I would have been compromised.
The best practice I live by is always call them back yourself. Looking up the phone number is not the same.
My understanding is that it's a technical limitation. I read somewhere (maybe a post here on Hacker News) that back in the good old days of telephone monopoly, there was nobody to abuse a zero-security feature like "spoof the number" except the phone company itself, and it was useful for large local corporate phone networks.
It's not a two-factor code like you're thinking of. That code is shown on the sign-in / account recovery page, to whoever making that attempt. Then the same value has to be chosen on the mobile device that's being used to authenticate that sign-in.
The goal isn't to protect against phishing or social engineering, but against people accidentally approving a sign-in they didn't initiate.
(specifically, there are "credential stuffing" style sign-in attacks where an attacker logs in "suspiciously" at the same time as a legit log in, possibly after forcing a log-out, hoping you approve both your log in and theirs when you get two, or ten pop-ups)
The attacker was going through the sign in flow on their own computer. In the MFA step, it shows you a number and asks to you press the same number on your phone.
Someone tried something very similar on me last month to steal my google account. Honestly, I almost fell for it. The giveaway was how desperate the caller was for me to complete the last step
I'm confused, is he saying that the other voice on the call is google assistant voice ai? Or the assistant just routed the call through the google number?
The business/answers page with the number is about calls from Google Assistant and (now?) explicitly says it's not about calls from the support. That would be this page
Disappointingly, it only says how to identify automated calls from Google, it doesn't offer a protocol for verifying actual humans from Google calling you. Perhaps it happens so rarely you can just assume it's not Google.
The biggest scare I've gotten is somehow ending up on "colnbase.com" (instead of "coinbase.com").
It's defunct now, but at the time it was a 1:1 replica of Coinbase. And the only reason I noticed was because 1Password didn't offer to fill in my credentials.
While knowing someone's email/password combo might not be enough for an attacker to do anything malicious on Coinbase itself (due to email re-verification maybe), the point is that even the smartest of us Hacker News users can fall for it. And that should scare the rest of us.
So so true. 1Password refusing to auto fill a password has saved me multiple times in the past! Also, one of my friends has a PhD in literally rocket science (aeronautical engineering from MIT) and got scammed by someone who stole his brother's SIM card and did some shenanigans. No one is safe, no matter how smart or tech savvy you think you are! For the less tech savvy folks, I understand why they are scared, it's hard to give them even general tips to not lose the farm to fraudsters.
The general advice I give is:
Don't trust incoming calls, text messages or emails.
Don't trust caller ID on your phone.
If someone calls you asking for information or to do something, ask for a case id or reference number. Hang up, call back on a number you get from a previous bill, back of your credit card, or by googling the company.
If anyone is pushing for something to be done urgently, stop. Hang up, don't take any action. Call a trusted other person and talk to them about it.
> Don't trust incoming calls, text messages or emails.
> Don't trust caller ID on your phone.
And if you're anyone of moderate fame, importance or cryptocurrency holdings, call back using a phone other than the one you received the call from. SS7 attacks remain relatively cheap , and redirecting an outgoing phone call placed to a phone number they know you're likely to call next is within the realm of feasible attacks.
>by googling the company
And remember it's going to be the 4th or 5th link down, not the first.
This is one of many reasons why ad blocking isn't just cosmetic: it's a best practice for security too!
So much this.
I recently saved a friend from getting scammed when she wanted to buy an audiobook, we wanted to avoid Audible because of the DRM and limited device selection.
The first few results she got were some shady services offering really good deals. I looked them up on trustpilot and they weren't outright scams, but they aggressively pushed you into getting an expensive monthly subscription that was basically impossible to cancel.
Yeah the first will be the scammers with a highly targeted ad buy, and who can even tell the difference between ads and search results these days?
All of my search results are search results, because of ad blockers.
Now, many of my search results suck due to SEO and whatnot, but that’s a different story.
> If anyone is pushing for something to be done urgently, stop. Hang up, don't take any action. Call a trusted other person and talk to them about it.
This is honestly the #1 piece of advice to give friends and family.
Almost every scam is predicated on urgency.
I have an entirely seperate phone and SIM for any service I think is important which demands a phone number. (prepay, I top it up by €5 every few months. Sadly I can't automate that)
I generally refuse to give any number if I can help it. I can count on one hand the number of unsolicited calls/texts I've gotten.
I really wish phones would change the UI to make it more obvious that caller ID shouldn't be trusted.
I know that "rocket scientist" has been a standin for "smart person" or "genius", but in this case, I would be more surprised if a computer security expert (various job titles) had been scammed, because it's their job to be up on this stuff.
How often does a rocket scientist deal with computer viruses, or phishing emails, etc compared to a security expert? Most of the time, their IT security expert (ideally) stops it before it gets to them..
I may be more qualified then, I work in fraud. I accidentally called a fake airline number to get a refund for a Delta ticket and happily gave the guy my credit card for some such fee. If requiring a credit card fee to get a refund isn't a red flag, I don't know a better one. To be fair, my sister had found the number and three way joined me in because I was helping her buy the ticket. So an extra rule: don't even trust a phone number someone you know found because /they/ might have been the first victim and passing compromised information to you.
Rocket science is surprisingly straightforward, it's rocket engineering that's the tricky one.
Yeah projectile motion is high school physics.
Engineering the thing to not rip itself apart, melt, or explode is the hard part.
> Also, one of my friends has a PhD in literally rocket science (aeronautical engineering from MIT)
One of my friends is a nuclear physicist from TU Delft and they somehow managed to install a fake clone of Chrome haha. Somehow never got their accounts broken into or money stolen.
Physical SIM cards should _always_ have a strong PIN set. It baffles me how many people either don't have a PIN or it's just set to 0000. You're basically handing over your whole digital life away to anyone who gets their hand on your SIM card.
I didn’t even know that existed until now.
Smart people often have blind spots. The confidence you get from knowing one subject really well can leave you vulnerable in other areas.
This is one of the reasons scammers like to target doctors.
I nearly lost an account because I assumed that 1Password was just being dumb not offering to auto-fill credentials. Turns out I'm the dumb one for doubting it.
Now if 1Password shows nothing to auto-fill I make damn sure I'm on the right site.
> the only reason I noticed was because 1Password didn't offer to fill in my credentials.
Nice, I always hope this will save me but I never landed on such a phishing site. How did it happen for you?
About domain-based autofills, perhaps less so now than 5-10 years ago: it always seemed weird that the whole security industry seemed to say these plugins, or the browser's built-in password store, are dangerous because there were past vulnerabilities and any website you visit can exploit it. The way I see it: vulns get fixed, I just need to not be in the 1st wave of persons they target (risk type: plane crash, very small odds but sucks to be you); receiving phishing emails or messages happens constantly and apparently it works well enough to continue doing it and evading filters constantly (risk type: car crash, can happen and they get only the creds for the website being autofilled). Would recommend to anyone who then realises something is up when the autofill doesn't work, but ideally would have more evidence to back that up
I don't remember how I ended up there but I'm sure it was a fake email.
Just copy one of Coinbase's legit emails for something like "A withdrawal of $1,200 USD has been started" and you have the perfect bait.
> that even the smartest of us Hacker News users
Well, ok then.
> 1Password didn't offer to fill in my credentials. > the point is that even the smartest of us Hacker News users can fall for it.
But you didn't fall for it, a simple password manager technique worked as advertised?
One of the worst parts of using a oassword manager is that apps and websites don’t by default share their credentials. I could totally see me getting caught by a shady link to a website of an app that I use but because I’ve never logged into the website, 1Password makes me search for it.
My friend was not smart as you, and religiously typed password on a fake Amazon website link clicked from an SMS promising a refund on recent purchase. Stopped only when it asked for 2FA code because there was no 2FA setup.
https://www.merklemap.com/search?query=coinbase.com&page=0&t...
There’s indeed a lot of them :)
mvspace.com was a really good phishing site back in the day when MySpace was an actual thing.
> The biggest scare I've gotten is somehow ending up on "colnbase.com" (instead of "coinbase.com").
You might want to install some browser extensions to block content. Then block all content (set to whitelist) and selectively add the sites you know.
If you end up on a new site with some amalgamation of letters that look familiar, the extension will rightfully block it and prompt you whether you want to whitelist or not. Big ole' red flag right there.
Of course it's not foolproof. It is just another layer in the strategy of defense-in-depth.
This is such a waste of time to do this for every single site! Especially when it's easier to rely on the password manager in cases like this
> This is such a waste of time to do this for every single site!
That's your opinion. But it works for me and doesn't take much time at all to wield.
> Especially when it's easier to rely on the password manager in cases like this
Passwords aren't the only thing this helps guard. Password manager won't prevent the site from loading in the first place. So if that site delivers malware then your password manager won't help you.
That's your opinion that it works for you, but more importantly, that it would work for others instead of teaching them to automatically click "yes" after clicking a link to a site they want to visit after having to do this hundreds of times for all those hundreds of sites they had to visit before, so a supposedly big red flag could be nothing more than one of those brown cookie gdpr annoyances
What I do is a greater waste of time -- I have a separate browser profile for each individual site that I might log into, and javascript is only whitelisted for that one site in that profile. It's a real pain because whenever my browser adds a new config option, I have to update the settings in each of the ~20 profiles.
It has saved me a few times where some rogue javascript tries to redirect me to some unexpected site, and the destination site simply doesn't load.
I think there's a Firefox extension for this usecase.
Combining that with Multi-account container should make it easier to manage ?
Sounds like uMatrix (RIP) with extra steps.
dude what how do you have so much free time my lazy ass just has ublock origin with some lists enabled that my even more techbro help me set up and it automatically stops me from visiting suspicious websites this feels like way too much work
And Firefox is such a pain to automate
I just want every new machine to have my extension settings, but then it's four hours later and I'm trying to check if some policy file was obsoleted in version 60
Such a time sink
You can tell it's a scam call immediately because Google has no such thing as "support", let alone an actual "support engineer"
But you don't know that. Nor I would expect most people to know the internal structure of Google.
I can’t get ahold of google support while paying them hundreds of thousands per year. I’m not convinced they do support.
They do support if you spend enough money with them. At least with GCP. Access to in-house cloud architects level of support, even.
As usual this started with an incoming phone call. If you ever receive a phone call from a tech company, it's a scam. The caller ID doesn't matter. The caller's accent (wtf) doesn't matter either. It's a scam.
Not if you’re an app developer on their platform, they make outbound calls to you. I’m sure there are other situations as well.
If the consequences for letting that call go to voicemail are any less severe than full account takeover by a script kiddie, you're still better off never picking up.
Google in particular is famous for making it impossible to contact a human. If Google calls you, before picking up, consider whether you truly believe you're lucky enough to be one of a handful of people in the world to ever get human support from them.
I've spoken on the phone with humans in Google support. (You, too, can do this, just pay them enough.) However, they called me after I filed a support case and specifically requested a call, and they started off by mentioning the number of the case I had filed.
If you ever get a cold call from "Google Support", it's basically guaranteed to be a scam.
After I got Google Glass in 2013 as one of 8,000 "Explorers" I was given a support telephone number that was always quickly answered by a Google employee knowledgeable about Glass.
Becoming an SME on a Google product - now that's job security
You still always assume an incoming call is a scam no matter what. Hang up, look up, call back, in that order.
Very occasionally you might be making some poor customer support person's job harder, but the vast majority of the time you'll be hanging up on a scammer. You can be polite about it, but firm and brief. "It's my policy to always call back no matter what, nothing personal."
The problem is verifying which number is correct. In most cases it's pretty easy. Bank? Call the number on a debit card. Google? Good luck even finding their number.
But I do agree with you. They can leave a message and a way to contact back if its important and I can take my time doing research. The urgency part is what's caught so many high profile people off guard.
For what purpose do they make these calls?
> The caller's accent (wtf)
You don't have to pretend to be confused.
The industry of Indian scam call centers is not a crazy conspiracy invented by racists.
> The industry of Indian scam call centers was not invented by crazy racists.
Nor was the industry of Indian legitimate call centers.
You cannot glean any useful signal of legitimacy from the caller's accent.
That's the WTF.
Almost all scam calls originate in India. It's absolutely an indicator.
Almost all murderers are men, therefore if you see a man he’s probably a murderer.
It’s not an indicator.
Good morning, sir.
Your second sentence doesn't follow from the first, for the same reason as the Bayes medical test paradox.
I don't care if it's a scam or a call center, I hate both.
Agreed, but irrelevant to the thread at hand.
The accent of the caller is not a useful signal.
The very fact that they called you is a pretty good indication that you do not want to talk to them. 99% strength.
As if official Indian tech support is not a scam..
I've talked to some terribly unqualified Indian support folks. And I talked to some really talented ones who saved me a lot of time and headaches.
Support quality is a function of cost, which is a function of customer value.
Low-margin businesses will hire low-cost support on whatever continent it's available.
So worst case, it's a scam. Best case, it's some useless cutrate support or sales call. Sounds like this is absolutely an indicator not to bother.
The best indication not to bother answering is that they called you.
Doesn't matter how familiar their accent sounds.
They are not calling for your benefit.
No need to get xenophobic about it.
High-margin businesses too. Useless, powerless customer support is the default. Most of the time, even in person.
Low-margin businesses always have bad support, and there's nothing you can do about it.
High-margin businesses usually have passable or good support. If your vendor of choice does not, you have chosen the wrong vendor and should switch. There are other options that do a better job.
However, now we have AI, so you shouldn't assume the call is safe if the accent matches either...
I do this for any inbound call, unless the caller id is someone in my contacts it can go to voicemail. If it's important they either leave a voicemail or keep trying, for repeated calls I will answer but with skepticism.
If they are in my contacts I will recognise their voice.
I regularly get phone calls from Google because I helped a friend with their ad account once. No matter how many times I tell them not to call they eventually find a new number to call me from. They are legit calls. Google just won't take no for an answer.
This is the same type of phishing attack described here[1]. It’s still surprising to me how the SPF, DKIM, and DMARC all pass. If I remember correctly, it’s because they actually have a clever way od getting Google to send an email to you by sharing a Google Form with you or something like that.
[1]: https://news.ycombinator.com/item?id=42450221
Based on the text at the bottom of the gist:
> Hack Clubbers have determined that this is almost definitely a bug in Google Workspace where you can create a new Workspace with any g.co subdomain and get it to send some emails without verifying that you own the domain.
Seems like this is the flow:
1. Create a Google Workspace with a g.co subdomain. Apparently this is not verified, or verifying the domain is not necessary for the next steps.
2. Create an account for the victim under this Google Workspace.
3. Reset that account's password.
The victim gets an email from Google Workspace informing them that their password was reset. And this email is a real, legitimate (not spoofed) email from Google because it's just a result of the normal password reset process for a Google Workspace account.
We have all this verification on the Web, but not the phone. Why do telcos allow for spoofing? We wouldn't allow that with email. Is this a technical limitation that allows for spoofing?
We have had phone company employees here explaining that their company makes a lot of money from scammers/spammers/etc so they do not have an incentive to stop it.
How about a law with teeth?
> We wouldn't allow that with email.
We allowed email to be the wild west for years and I'm not sure it's better than telephony now
SPF is so bad we basically do allow it
Yep. Look at the screenshot. It seems they managed to trigger one of Google's standard password reset emails.
What's even more interesting is there is no DNS records for important.g.co, which means they have found a way to create an Google Workspace without verifying the domain but still able to send emails like password resets.
It's definitely a glitch where you can send emails/transactional emails from an unverified Google Workspace. My guess is that their are protections for google.com and google domains but they forgot to add the g.co domain, which allows unverified sending to g.co and creation of workspaces.
I'm not sure if it's good thing or not but I've come to consider that any notification about a password being reset or a fraudulent charge is phishing unless I initiate some action.
I always verify that I'm actually fucked and then take action. This seems counter-intuitive but the deluge of phishing emails makes me feel this is the safest option. I'd rather wait to notice a fraudulent charge and dispute it, than leak info to a random SMS number that claims (possibly truthfully) that someone in Japan spent $9000 at the gucci store.
Agreed. I do not follow any links, accept calls, etc. I go to the site of origin and do what I need. Also be careful if you search for the sites name on Google, still might click a fraud site!
That's not verifying the phone number. I received a call from Chase about a wire. I asked them for a code so I could continue the conversation and then looked up the phone number on their website and called that and talked through reps till I got to the right department.
Caller ID being spoofed is the wrong way to think about this. It's just that if someone walks up to you and says "Hey, I'm Jean d'Eau and I'm President of the US" you don't think to yourself "oh yeah he's definitely President and that's his name".
People can always tell you they're whoever they want to be. You can either believe it or go find out if they are.
I know it's easy to second-guess someone after they've explained that they're describing a scam, but:
> The thing that's crazy is that if I followed the 2 "best practices" of verifying the phone number + getting them to send an email to you from a legit domain, I would have been compromised.
He didn't follow the first of those best practices. He just looked up a phone number that the caller also read out to him, and didn't call it. And "Solomon" also explicitly told him he couldn't call.
I honestly think that at this point, no incoming phone call can ever be trusted.
I don't even know where the idea that those are the best practices came from.
The phone number best practice has always been constructed as "call them back at a known good number, preferably one written on paper or on your card". You certainly don't ask them to show you where on the company website the phone number is listed.
And asking the person on the phone with you to send you an email from a specific domain is likewise not something I've ever seen recommended: that's one of several things you check to see if an email is phishing (And only one of several! A good domain isn't enough to clear an email!) But if you're already on the phone with someone suspicious, the best practice has always been to get off the phone with them immediately and call a known number, not to ask the caller to prove themselves.
None of this is to blame OP for misunderstanding, it's just very clear that we need to do better at communicating these rules out to the world.
But, if it is listed on the company website, then..
But you're right: simply say "given that this is a sensitive security matter, thank you for the heads up. Don't call me, I'll call you (click)"
>But, if it is listed on the company website, then..
I'm sorry I'm going to have to call you, instead of you calling me
Of course, the company phone number is right in the footer of the website.
-- goes to open website from last email sent from company, goes to colnbase.com.
Yeah, even if it is listed on the website you still hang up and call that number right back. Caller ID spoofing is still not solved.
> no incoming phone call can ever be trusted.
They can't. And they haven't been for a while. Spoofing phone calls is simply too easy, and nothing is being done to fix that, despite the fact that it puts so many of us at risk. It's not an insurmountable problem, technologically. It is literally a lack of will and outcry from ordinary people, despite how often this fact is used to abuse so many.
Credit Card companies have known this for a long time. My credit card company will call and say "do not call back to this number, call the number on the back of your card and use this reference number".
That should absolutely be the norm at this point.
Telecoms know if a number is spoofed or not. All I want is for them to wholesale steal the original Twitter "verified" check, and use it to confirm that a call is not spoofed.
The originating provider knows, but do providers downstream know? If AT&T receives a call from $MadagascarPhoneCorp who indicates the call is officially from $IndiaPhoneCorp, can AT&T trust that?
>The STIR system aims to add information to the SIP headers that allow the endpoints along the system to positively identify the origin of the data. This does not directly prevent the ability for a robocaller to spoof a caller ID, but it does allow upstream points to decide whether or not to trust that ID
https://en.wikipedia.org/wiki/STIR/SHAKEN#STIR
It's not all the way there, I guess.
I don’t need a “verified” tag. No spoofed call should ever get through. Ever. When would I ever want a spoofed caller ID? Never.
My iPhone (on Verizon) already does this.
They should also display something indicating it is not verified when it is not
I'd argue the second one was not followed either. Maybe I'm misunderstanding the article, but I would not take a random "your password has changed" as proof. I would need the caller to send me an actual email from their personal work email address (or ticket system?) with some actual, human communications in it.
> I asked if I could call back a phone number listed on Google.com and she said sure - this number is listed on google.com and you can call back with your case number, but there may be a wait on hold and I might get a different agent. I googled it and sure enough, it was listed on google.com pages. I didn't call back though.
This is where a big mistake is. Always, ALWAYS phone or contact back using the company’s official channels. Because if they have sufficient info about you, scammers can make a call sound hella legitimate, but one thing they still cannot do is pick up the company’s phone for them when you phone in. Especially if you call from a hardline, which requires compromising the phone company’s switching equipment.
Even my father, nearly 86 with a 5th grade education and slowly sliding into dementia, knows better than to uncritically accept being directly contacted. He’s already short-circuited several scams (of various types) in the last few years by hanging up and phoning back in himself.
This used to not be safe though, in the age of landlines.
I forget the details, but most of the country was wired in a manner that both parties of a call had to hang up to end the connection.
You might hang up, go find the official phone number, but when you pick the phone off the cradle you would still be in the previous call. They could fake the dial tone and you would be none the wiser.
I remember pranking friends with this back when I was young. Harmless stuff.
I think this was in crossbar switches. The initiator of the call had to hang up for something like 8 seconds.
This was useful if they called you and you answered in the kitchen, but wanted to run to another room to talk. Not that I think it was designed to be a feature! But I used it that way.
If you didn't trust the caller, you could hang up, wait 10 seconds, then get a good clean real dial tone. Remember dial tones?
Anyway none of this is relevant in modern switching systems, much less cellular networks.
> The initiator of the call had to hang up for something like 8 seconds
Sorry, correcting myself:
If the initiator of the call hung up, the call would be ended immediately.
If only the receiver hung up, the call would remain "live" and resumable for about 8 seconds.
Thanks for that bit of history. I seem to remember form previous conversations with people that this was not the standard for all of America. Probably something related to east cost vs west coast.
> east cost vs west coast
More likely population density/growth in the region. Most of the US was all Bell System at the time.
If the area was urban, or growing quickly (adding new phone subscribers), they'd get the newer electronic (ESS) switches first, starting around the early 1970s.
If the area was suburban and population-stable, the electromechanical crossbar switches would live on for another 20+ years.
There were some rural parts of the US using even older Strowger/SxS switches until the mid 1980s at least, probably later!
There's a great story about the development, by a Mr. Strowger, of the first electromechanical telephone exchange switch. Previously, calls were connected manually, by operators. Mr. Strowger was an undertaker, and he believed that the operators were sending callers to his competition unfairly. So he invented an automatic switch to remove the human element.
> There's a great story about the development, by a Mr. Strowger, of the first electromechanical telephone exchange switch. Previously, calls were connected manually, by operators. Mr. Strowger was an undertaker, and he believed that the operators were sending callers to his competition unfairly. So he invented an automatic switch to remove the human element.
I’ve heard this one before. Wasn’t the wife of one of his competitors actually the operator in question?
> Especially if you call from a hardline,
I have no idea where I'd find one of those.
> This is where a big mistake is. Always, ALWAYS phone or contact back using the company’s official channels.
The problem, and the reason why that scam approach works half the time, is that calling back is a huge PITA these days between 1) endless routing menus or some "smart" AI bot that is f*ing useless (seriously, I have never been helped to my satisfaction by one of those), 2) long long long hold times to get to a human, if you ever do, because every single company is always "expecting greater than usual call volumes" -- wtf? call volume distributions are Gaussian, ok? so adjust accordingly.
Calls are also just inherently more likely to arrive when call volumes are above average. There are more calls then.
Yeah.
In reality the number your phone carrier provides is basically a guess. It does in no way guarantee who is calling you.
What I'm most curious about is how they were able to spoof the email being sent from `workspace-noreply@google.com`. Given the odd phrasing of 'password for important.g.co', perhaps this is some strategy involving creating a 'parallel' account with the same email and making use of it to send an official-looking email as part of the scam?
Most likely they did something like sign up for "important.g.co" in Workspace, then added the target as a user, then reset that user's password, causing Google to send a real, verified, from-Google message.
They can't control the contents of the message, but they used the gmail "+" feature to cram the "case ID" onto the target email they created the Workspace account for, making that seem real.
But how did they MITM the verification code? Was the first two presented to the attacker, and the rest was presented to the email? Or were they able to MITM the whole email/code and just shared the first two to gain trust?
This sounds like they were using the "tap a button on your device" 2FA method (see https://support.google.com/accounts/answer/7026266). Not sure of the details as to how they got to that page in the first place, though the docs say that you can potentially use it to recover your account.
Never trust an incoming call, especially if it's talking about authentication problems you didn't know you had.
Googler, opinions my own (and I'm not an expert in this particular space).
When you use a device to do 2FA, Google will display one code on the logging in device screen and three on the 2FA screen. This is so that the user doesn't just blindly hit accept on the Gmail/YouTube app that hosts the 2FA prompt.
A one in three risk of hitting the wrong button still seems insanely high to me. Why is this 2FA method deployed instead of things like "enter the code here"?
(I know it wouldn't necessarily have stopped this phishing attempt.)
It should be much less than one in three, because the user doesn't get conditioned to "just tap one of the numbers and it goes away". The way to consistently dismiss the interruption is to tap the fourth button labelled something like "what, no, that wasn't me".
Yeah, good point. But I still think it's too much risk to place on a potential errant click.
(I have to admit I haven't used the UI in question, and I can't find a screenshot of it on Google Images. Maybe this is a lot safer than I'm imagining.)
I had it just today, it's slightly worse than I was remembering! The "Cancel" button is way less prominent.
Still, remember this is MFA - at least I'm pretty sure you can't have this as the only way to access your account. An attacker typically needs your password plus you to misclick here.
Unclear why. You have to hit a prompt that says "Yes, this was me" and then pick a button. The approach airplay takes to pair: type in 6 digit code. That seems better to me.
Sounds really similar to my experience a few months ago. I commented here about it.
https://www.reddit.com/r/googleworkspace/s/NtJpputXtg
There was something in Google workspace that allowed the scanners to have an email sent to them, AND an additional and of their choice. But when I asked about calling them back, I was told that wasn't possible, which made me suspicious.
It would be better if Google would react more strongly to such attacks.
-> There is a sophisticated one where you can take over an account via the Account Recovery flow, that is still actively abused; tried to report, got "not a bug, triaging as abuse risk"
Anyone that get’s a telephone call from “Google” should be immediately suspicious. I used to work for a company that paid GCP about as much as my annual salary _every_ month, and we still struggled to get GCP on the phone when we needed assistance.
what's wild is when Google Play Music came to Canada where you could upload your music to the cloud, I was able to get phone support for a bug it had with Linux, and they were very helpful
Totally unrelated, beyond being another Google service, but what's with Google's AppSheet being used for so many phishing emails? How does Google not predict this abuse and prevent it?
Now to be fair they all end up in the spam folder, but these are emails sent from noreply@appsheet.com (SPF passing and originating from a Google IP), albeit with a phishing FROM name like "Meta for Business". I have hundreds of these in my spam folder, telling me that my Meta campaigns (I don't have any Meta campaigns and don't interact with that business at all) have been suspended, etc, clearly hoping to takeover someone's Meta business account.
Like when Google's Calendar invites were massively used for spam, I just don't understand how that company rolls out services and doesn't foresee the malusage.
Extremely scary. This is way above and beyond most phishing attacks. Obviously, this guy is being targeted for some reason or another. I worry about such attacks being automated at scale with AI tools.
I have been using a catchall mailbox with hostname type names for over a decade now¹
So, com.example.shop@example.org for https://shop.example.com account(s). I've recently switched to a randomized username part, as bitwarden supports this well.
This has saved me numerous times from scams². Because scammers would email me on the wrong address. Either they'd mail me on an adress listed on my website, when the actual company would've mailed on the unique address I gave them (more targeted phishing). Or they'll mail me on an address that I know to be leaked (these are redirected to spam in filters).
I am convinced there's an actual solution to a lot of scamming here, if the UX and UI are carefully designed. To be used by "muggles", not just the crowd that knows things like filters and catch-alls and plus-appended etc. It's a pity Google, Microsoft or even proton aren't actively promoting such a "unique mail for every service". But I guess there's little in it for them.
¹ used to self host, but now that's near impossible with the monopolies on mailserves at big tech and moved to mailbox.org. big shoutout!
² aside from the other great benefit. I'm often one of the first to know some service or site was compromised by receiving scam, spam etc. A few times I was even the one to report a breach to such an org via this.
Apple has that with their Hide My Email service (included in the iCloud+ subscription at $0.99/month). It nudges you to create a new alias on every form that contains an email field.
The good part is the that aliases are inconspicuous @icloud.com email addresses that don't follow a specific pattern and are thus:
1) Accepted everywhere (contrary to custom domains — which I also have).
2) Are pretty much impossible to detect ahead of time.
————
For illustrative purposes I just clicked several times on the generate new Hide My Email button and it returned those:
I have around 160 aliases so far, I'm not sure what the limit is (if there is one).Congrats, you're now married to Apple forever
These are burner addresses, the vast majority of which I don't care about. If I ever wanted to move away, iCloud conveniently can show me each address, when I created it, and for what site. I could then change my address on the few sites I wanted to retain the account on.
I actually have a domain I setup with Fastmail just for burner addresses, but Apple offers enough additional functionality (easier to use, tracks the site I created it for and when) that I keep using Apple's offering.
I’m resigned to that now, Apple would have to do something particularly egregious to move me away.
EBay refuses these addresses for new accounts.
I just tried to create a new account and it worked just fine.
To all the people criticizing OP, 5 million people are victims of phishing attacks every year. This attack is more sophisticated than 99.99% of them. Cut OP some slack.
> I asked if I could call back a phone number listed on Google.com and she said sure - this number is listed on google.com and you can call back with your case number, but there may be a wait on hold and I might get a different agent. I googled it and sure enough, it was listed on google.com pages. I didn't call back though.
Emphasis mine.
Also, if a human called me and claimed to be working for Google, I would laugh heartily and hang up the phone. Google doesn’t even have call in tech support, why would they call you for something as banal as a compromised account?
This is about Google Workspace, a higher tier paid account which does include phone support. Equivalent to if someone like your business ISP called you (or someone else who you are a paying customer of, with real phone lines). That being said, it is mentioned that OP doesn't pay for that or Google One.
I am a paying user of Google Workspace, and also run a charity that is a user of Google Workspace with thousands of accounts. The account they were trying to phish was a paid Google Workspace email.
Again, 5 million people fall for phishing. This attack was magnitudes more sophisticated than most. I still get the occasional Nigerian prince scam. They still send them because it still works. Not all of the people who fall for this are stupid. Surely you’ve made mistakes before.
Admitting one mistake doesn't moot the whole incident, nor does it take Google off the hook.
I agree. Easy to Monday morning quarterback opsec but we're human and the best fall for stuff all the time.
A non tech person wouldn't know Google has bad support and is unlikely to call you, that a number and email can be spoofed, etc. And even if 99% didn't fall for it, just 100 calls gets the scammer a victim on average.
This is the LinkedIn profile the attacker referred to as his: https://www.linkedin.com/in/solomon-aborbie-jr-6b0a32155/ (Solomon Aborbie Jr) - the CV seems to check out with this Bowdoin video: https://www.youtube.com/watch?v=0n_vHGLDMtM - so likely real and the attackers did "identity theft".
Starting at 1:58 here: https://cloud-3s03ljpcy-hack-club-bot.vercel.app/0call_recor...
I think he just found a random engineer from Google on LinkedIn and is pretending to be him.
How did they send an email from google.com that passed DKIM and SPF? Thats a huge concern.
It's specifically a password reset email. A Google Workspace admin can send a password reset to any of their users, and it will pass DKIM and SPF. The trick here is that apparently you can sign up for Workspace with a g.co subdomain and, without verifying the domain, can trigger a password reset to be sent.
I’m still a bit confused around how they sent him the email. Maybe they added him to the Google Workspace as a member?
Yeah they did. They added his email as a secondary email to a Google Workspace user account, with the plus-address-suffix including a "Case ID". Then they reset the password of the user account, triggering this notification.
> Someone named "Chloe" called me from 650-203-0000
Nope. Rule #1 in today's environment is never pick up the phone. If you're not expecting the call they can leave a message. And if it's something you think is legitimate, get the authentic number from a reputable source.
I appreciate Spyrecovery36 for making me realise the truth to a certified hacke r who knows a lot about what his doing. I strongly recommend you hire him because his the best out there and always delivers. I have referred over 10 people to him and all had positive results. He can help you hack into any devices, social networks including – Facebook, Hangout, iMessages, Twitter accounts, Snap chat , Instagram, Whatsapp, wechat, text messages ,smartphones cloning ,tracking emails and also any other social media messenger or sites. It’s advisable to hire a professional hacker. Thank me later. Contact him here.spyrecovery36 @ gm ail c o m
URL shorteners are a massive security hazard.
Maybe, but in this particular case the attack has nothing to do with url shortening. The essential elements were google assistant (to spoof caller ID), and google workspace (to send the "case" email).
> The thing that's crazy is that if I followed the 2 "best practices" of verifying the phone number + getting them to send an email to you from a legit domain, I would have been compromised.
The best practice I live by is always call them back yourself. Looking up the phone number is not the same.
How is call spoofing allowed by telcos? Is it a technical limitation that let's this happen?
My understanding is that it's a technical limitation. I read somewhere (maybe a post here on Hacker News) that back in the good old days of telephone monopoly, there was nobody to abuse a zero-security feature like "spoof the number" except the phone company itself, and it was useful for large local corporate phone networks.
Can someone explain point #9 in the gist? How’d they know part of the two factor code?
It's not a two-factor code like you're thinking of. That code is shown on the sign-in / account recovery page, to whoever making that attempt. Then the same value has to be chosen on the mobile device that's being used to authenticate that sign-in.
The goal isn't to protect against phishing or social engineering, but against people accidentally approving a sign-in they didn't initiate.
(specifically, there are "credential stuffing" style sign-in attacks where an attacker logs in "suspiciously" at the same time as a legit log in, possibly after forcing a log-out, hoping you approve both your log in and theirs when you get two, or ten pop-ups)
The attacker was going through the sign in flow on their own computer. In the MFA step, it shows you a number and asks to you press the same number on your phone.
There's a screenshot of what this looks like here: https://gist.github.com/zachlatta/f86317493654b550c689dc6509...
What I'm confused by is how they got that far, to the point that 2FA was the only thing in their way. Did they already have this user's password?
Someone tried something very similar on me last month to steal my google account. Honestly, I almost fell for it. The giveaway was how desperate the caller was for me to complete the last step
I'm confused, is he saying that the other voice on the call is google assistant voice ai? Or the assistant just routed the call through the google number?
unless thinks they own important.g.co, they've just walked past some glaring red flags, it doesn't even mention their domain in the email.
This is becoming a growing cause of cyberattacks recently, the domain expiry being used by malicious entities to gain access to systems
The business/answers page with the number is about calls from Google Assistant and (now?) explicitly says it's not about calls from the support. That would be this page
https://support.google.com/business/answer/6212928?hl=en
Disappointingly, it only says how to identify automated calls from Google, it doesn't offer a protocol for verifying actual humans from Google calling you. Perhaps it happens so rarely you can just assume it's not Google.
[dead]
[dead]
[dead]
[dead]
[dead]
Like with the recent homebrew attack Google Google has shown itself to be a malware services company.