Anyone that get’s a telephone call from “Google” should be immediately suspicious. I worked for a company that paid GCP about as much as my annual salary every month, and we still struggled to get GCP on the phone when we needed assistance.
Google, not scammers but people actually paid by Google representing Google, phone my old semi-retired Mom every once in a while because she runs a small (~2 person) gardening business that purchases ads.
So weirdly I can’t entirely agree with this. Not that you shouldn’t be suspicious of them, but be suspicious because at best their incentives don’t align with yours not because they are necessarily not who they say they are.
Almost like Google is really good at (all forms of) advertising, but not at providing decent customer service. Because they’re not used to the customer actually being the one interacting with their stuff.
I got a call from Google while I was working as a sysadmin for a local business, which employed maybe 20-30 people. Some people we having issues receiving emails in Outlook, which wasn’t unusual (if I never have to see Outlook again, it’ll be too soon). I went through the usual steps then saw it was on the server side, so sent along a support ticket.
I can’t remember the exact timeline, but a day or 2 later I was driving to work when I got a call with a +1 country code, which was weird because I never got calls from the US, but I answered anyway. They said they were calling from Google, which instantly got my guard up, because why would Google be calling me?
They explained it was about the support ticket I’d sent in, and that it was a known issue and would be resolved in the 48 hours (which it was). Then that was it, I let people know it’s be fixed soon and never heard from them again.
So it does happen, even for businesses that spend maybe a couple hundred dollars a month on their Workspace bill.
I’m not following how g.co was actually involved here, or how it might have been compromised.
The email came from google.com. The email passed SPF and DKIM.
The subject mentions important.g.co and it appears in the email body. But there aren’t any links to it, so the phising attempt seems to not actually rely on it in a way that requires a compromise of g.co. I don’t think the title of this post is warranted, as it appears unsupported by the facts.
It seems more relevant that the attacker convinced a google.com server to send the email for them, or that they got a hold of a DKIM key to sign it.
It would’ve probably been a little more suspicious if it said case-g287686.com instead. There’s also this, from an update to the gist:
Hack Clubbers have determined that this is almost definitely a bug in Google Workspace where you can create a new Workspace with any g.co subdomain and get it to send some emails without verifying that you own the domain.
I imagine this issue extends past g.co and could be used for any domain (besides those already registered like google.com). So yeah, it’s not an issue with g.co, but there is arguably an issue with Google Workspace allowing these phishing attempts to be just a little more convincing than they would otherwise.
Thank you! I thought I was going nuts reading this, it’s got nothing to do with g.co
Someone in the comments there has a theory:
[attacker] Submitted a Google Workspace support ticket with the name “Chloe Google Case ID G287687”. “Chloe” and the case ID closely match the phone call and lure in the SMS. You can only submit these support tickets if you’re logged into your G Admin account, so I hypothesize your account was already compromised to some extent
I won’t repeat the steps to perform the targeted password reset email part of this phishing attempt, but it appears that this is entirely a Google Workspace domain verification problem.
I suggested a title change for this post yesterday. @Aks if you see this, the title of this story is inaccurate and has been at the top of the front page for quite a while now; if you could change it, that’d be great. The same story was posted on Reddit with a more accurate title:
Almost got phished from a @google.com email. Google Workspace domain verification likely broken.
I am fascinated at people who are otherwise security conscious thinking that Google would ever call them. All of these stories, the step 1 is always just such a red flag for me.
I don’t get how you fall for this yet also write up a whole thing like this with all the “right” details. Being able to do the latter seems like something that would preclude you doing the former
It’s like that Mike Tyson quote: “Everybody has a plan until they get punched in the face. Then, like a rat, they stop in fear and freeze.”. It’s just different when it’s actually happening to you, instead of you calmly reading someone else’s experience.
People get flustered, or they start panicking about the “crisis”, or their instinct to not be a nuisance kicks in, or they can’t effectively split their attention between the safety checklist in their head and what’s being said to them (which they fear might be a genuine problem).
A well-executed scam & scammer will also take advantage of anything they can to build trust. We see in this story that the author ran a number of checks, which the scammer passed to the victim’s satisfaction. That leaves the victim uncertain and vulnerable to the scammer steering them through key points where the victim could break off: the author thought about hanging up and calling back, and chose not to.
This is not the first time I’ve read somebody who should know better get (almost) taken in. A scammer can weaponize your intelligence and education against you, because the real vulnerability is the human factor.
It’s just different when it’s actually happening to you, instead of you calmly reading someone else’s experience.
Another thing that could happen to you is a temporary health-related effect on your cognition. I was successfully led by unfortunate combination of “almost recovered after some flu” and “making account on a new service that provides financial transactions”, but thankfully my bank’s anti-fraud system prevented the $1000+ transaction. Next day I was not even sure what I was thinking then, it was so f- clear.
You can also have side-effect from some medicines, not to mention alcohol.
Smart people can still be manipulated. I think these attacks get a lot of mileage out of the initial adrenaline rush you get when you think you might be being hacked.
Something that stuck out to me was that the author looked for reasons to buy the scammers’ story, rather than reasons not to. There’s a case ID, it’s from a google.com domain, the number is listed on a google.com page—but if you operate in that direction you stay on the scammers’ happy path, so to speak. I think we need to do a better job here teaching people to be suspicious.
But here’s the thing. If it had been FedEx calling you asking for import duty payment, they’d have behaved in exactly the same way, down to the obscure help pages and the dodgy URL you’re expected to type sensitive information into. I think any reasonable level of suspicion would force you to classify their communications as scam attempts.
The author mentions the “best practice” of verifying the phone number, but gets it wrong. You don’t verify the phone number. You call the company using a phone number you looked up yourself. (If you’re on a landline, call someone else first). The point here is not to verify anyone’s identity—the FedExes of the world impersonate scammers so effectively as to make that impossible—but to establish a new line of communication that you can trust from first principles.
Yes, caller ID is meaningless. The author actually got to the point of doing the right thing (calling back) but didn’t. It’s a good example of how everyone has blind spots — someone who knows how to check DKIM but trusts caller ID!
I think we need to do a better job here teaching people to be suspicious.
Which is kinda funny because in modern tech orgs the Security team is often seen sending out test phishing attempts to see if employees fall for it and then roll out mandatory security training courses for all employees, and this approach is apparently widely hated.
It’s hard to put it all in one category. That kind of training can vary widely in quality. It also depends on what follows - is it a result for the IT to work on, or a scapegoating opportunity for management.
You probably (and hopefully) don’t intend this as hurtful or shaming, but reactions like this are precisely why stories like these often remain untold, allowing scammers to stay under the radar longer.
Almost no one is inherently stupid but everyone does stupid things occasionally.
There’s a lot of psychological bias at play here. When it happens to you, it’s bad luck, or maybe you weren’t thinking clearly for some reason. When it happens to someone else, it’s easy to think they’re stupid. But I don’t think that’s always valid. I consider myself pretty intelligent, but I’ve done some pretty stupid shit – usually when tired, emotional, or distracted. Scammers are aware of this and exploit it by creating distractions. Telling someone their Google account has been compromised can push them into a panicked “I need to act now” state.
Sorry, I was too mean in the original post. Appreciate the message on this.
My thought was a bit more about how the specific knowledge that leads to you to do the whole “look up the phone number and ask them questions” things … it feels like if you would have the knowledge that Google would not call you in an unprompted manner, like ever. And perhaps “I almost fell for it” is stylized, given how they seemed to have so much suspicion from the get go.
And hey, “Google will never call you”… but …. maybe this one time is true! It’s an easy thing to think.
I am fascinated that I have on several occasions been phoned by Microsoft Support. The real Microsoft Support, no scam involved. I sent in a support question using their form, asking for how to do something with appsource, and I thought it annoying that they required my phone number and then not much later some guy with an Indian accent actually called me and told me that sorry we don’t have that feature and I apologize so very much but here are some workarounds. You’d think Microsoft would stop doing this kind of thing to avoid people getting tricked into thinking it’s them when it’s the scammers.
Our default human instinct is to trust that people are telling us the truth. Unless we are already primed, thoughts of deception are usually a secondary follow-on thought.
It’s a lot like cults. Everyone thinks “I’d never join a cult”, but the truth is that the potential exists in everyone. This is an always-open attack surface, for even the most security savvy tech person, and if we’re honest, the sophistication of these attacks has really ramped up in the last few years. The “herd immunity” has not really caught up.
The part I take exception is to the line “[I followed the best practices] of verifying the phone number”. The best practice is not to verify to phone number. The best practice is to is not take action on any contact you yourself have not initiated, and this difference is why this measure failed to protect him. If he had ended the call, called the verified number*, and then gotten agents to look up his ‘case’, that would have revealed the deception.
*(yes, I know that getting a hold of google is difficult)
On iOS, at least, the gmail app also serves as kind of a 2FA mechanism. When you try to log in to your google account from a new device, there’s a flow that’s something like this:
Enter username/password
The web UI displays a 2-digit code and says to verify it on your mobile device
Open up gmail and it gives you a UI where it displays a few 2-digit codes and asks you to pick the right one
Pick the right one and your mobile device talks to the server and the server validates the login request
(Github also uses their mobile app in this way, more or less, on iOS)
I assume the attackers in the write-up weren’t going through the user/pass login flow, so Google must also use a similar workflow to steps 2-4 for other auth workflows besides login? Forgot password or something? Not sure.
AFAICT yes. Google has a challenge mechanism where you get a full screen pop-up on your phone and it asks you to match the number to what you see while logging in. I’ve definitely seen this during 2FA challenges but I don’t know whether it’s used for suspicious login attempts too.
Worth noting that it appears Google’s Advanced Protection Program would have prevented this attack from succeeding as long as you kept the security code setting at the default (allow security codes, but disallow remote access).
APP is what I suggest to anyone who asks me what they can do to really lock down their online presence. Put as much of your auth burden onto Google SSO and then enable APP, that’s my advice.
That’s assuming that your threat model does not include Google capriciously revoking your ability to have a Google account, with no recourse. (Unlikely, but not unheard of.)
For targeted users I agree this is often the right choice though.
Aren’t magic links equally applicable to passwords and passkeys? Wouldn’t a magic link instead of the two digit challenge have stymied this phishing attack against this non-passkey account? So the magic link would have helped but passkeys would have been irrelevant.
This phishing attack was just trying to get the victim to provide the second factor so Google would validate the attacker’s login attempt. This means the attacker already had the first factor ie the password. That would be basically impossible if a password didn’t exist and the credential was a device-bound passkey.
So yes, while password + magic link would stop the attack at the second stage, passkey would not have allowed it to get to that stage.
The issue (if it wasn’t made up) was about a potentially compromised account, already accessed from another location. You can’t use links received by email in that case, because they can be intercepted/changed on the fly.
Anyone that get’s a telephone call from “Google” should be immediately suspicious. I worked for a company that paid GCP about as much as my annual salary every month, and we still struggled to get GCP on the phone when we needed assistance.
Google, not scammers but people actually paid by Google representing Google, phone my old semi-retired Mom every once in a while because she runs a small (~2 person) gardening business that purchases ads.
So weirdly I can’t entirely agree with this. Not that you shouldn’t be suspicious of them, but be suspicious because at best their incentives don’t align with yours not because they are necessarily not who they say they are.
Wow, I’m glad you commented because you’ve given me another perspective (that of a small business owner) that I am not familiar with.
It does make sense that Google or their representatives would use a variety of angles to try to get businesses to purchase ads.
Almost like Google is really good at (all forms of) advertising, but not at providing decent customer service. Because they’re not used to the customer actually being the one interacting with their stuff.
I got a call from Google while I was working as a sysadmin for a local business, which employed maybe 20-30 people. Some people we having issues receiving emails in Outlook, which wasn’t unusual (if I never have to see Outlook again, it’ll be too soon). I went through the usual steps then saw it was on the server side, so sent along a support ticket.
I can’t remember the exact timeline, but a day or 2 later I was driving to work when I got a call with a +1 country code, which was weird because I never got calls from the US, but I answered anyway. They said they were calling from Google, which instantly got my guard up, because why would Google be calling me?
They explained it was about the support ticket I’d sent in, and that it was a known issue and would be resolved in the 48 hours (which it was). Then that was it, I let people know it’s be fixed soon and never heard from them again.
So it does happen, even for businesses that spend maybe a couple hundred dollars a month on their Workspace bill.
I’m not following how
g.cowas actually involved here, or how it might have been compromised.The email came from
google.com. The email passed SPF and DKIM.The subject mentions
important.g.coand it appears in the email body. But there aren’t any links to it, so the phising attempt seems to not actually rely on it in a way that requires a compromise ofg.co. I don’t think the title of this post is warranted, as it appears unsupported by the facts.It seems more relevant that the attacker convinced a
google.comserver to send the email for them, or that they got a hold of a DKIM key to sign it.It would’ve probably been a little more suspicious if it said
case-g287686.cominstead. There’s also this, from an update to the gist:I imagine this issue extends past
g.coand could be used for any domain (besides those already registered likegoogle.com). So yeah, it’s not an issue withg.co, but there is arguably an issue with Google Workspace allowing these phishing attempts to be just a little more convincing than they would otherwise.Thank you! I thought I was going nuts reading this, it’s got nothing to do with g.co
Someone in the comments there has a theory:
I won’t repeat the steps to perform the targeted password reset email part of this phishing attempt, but it appears that this is entirely a Google Workspace domain verification problem.
I suggested a title change for this post yesterday. @Aks if you see this, the title of this story is inaccurate and has been at the top of the front page for quite a while now; if you could change it, that’d be great. The same story was posted on Reddit with a more accurate title:
I am fascinated at people who are otherwise security conscious thinking that Google would ever call them. All of these stories, the step 1 is always just such a red flag for me.
I don’t get how you fall for this yet also write up a whole thing like this with all the “right” details. Being able to do the latter seems like something that would preclude you doing the former
I’m thankful the OP took the time to write this all up afterwards and share.
Just in case, i didnt write this, just saw it being shared and felt it could be useful here
It’s like that Mike Tyson quote: “Everybody has a plan until they get punched in the face. Then, like a rat, they stop in fear and freeze.”. It’s just different when it’s actually happening to you, instead of you calmly reading someone else’s experience.
People get flustered, or they start panicking about the “crisis”, or their instinct to not be a nuisance kicks in, or they can’t effectively split their attention between the safety checklist in their head and what’s being said to them (which they fear might be a genuine problem).
A well-executed scam & scammer will also take advantage of anything they can to build trust. We see in this story that the author ran a number of checks, which the scammer passed to the victim’s satisfaction. That leaves the victim uncertain and vulnerable to the scammer steering them through key points where the victim could break off: the author thought about hanging up and calling back, and chose not to.
This is not the first time I’ve read somebody who should know better get (almost) taken in. A scammer can weaponize your intelligence and education against you, because the real vulnerability is the human factor.
Another thing that could happen to you is a temporary health-related effect on your cognition. I was successfully led by unfortunate combination of “almost recovered after some flu” and “making account on a new service that provides financial transactions”, but thankfully my bank’s anti-fraud system prevented the $1000+ transaction. Next day I was not even sure what I was thinking then, it was so f- clear.
You can also have side-effect from some medicines, not to mention alcohol.
Smart people can still be manipulated. I think these attacks get a lot of mileage out of the initial adrenaline rush you get when you think you might be being hacked.
Something that stuck out to me was that the author looked for reasons to buy the scammers’ story, rather than reasons not to. There’s a case ID, it’s from a google.com domain, the number is listed on a google.com page—but if you operate in that direction you stay on the scammers’ happy path, so to speak. I think we need to do a better job here teaching people to be suspicious.
But here’s the thing. If it had been FedEx calling you asking for import duty payment, they’d have behaved in exactly the same way, down to the obscure help pages and the dodgy URL you’re expected to type sensitive information into. I think any reasonable level of suspicion would force you to classify their communications as scam attempts.
The author mentions the “best practice” of verifying the phone number, but gets it wrong. You don’t verify the phone number. You call the company using a phone number you looked up yourself. (If you’re on a landline, call someone else first). The point here is not to verify anyone’s identity—the FedExes of the world impersonate scammers so effectively as to make that impossible—but to establish a new line of communication that you can trust from first principles.
Yes, caller ID is meaningless. The author actually got to the point of doing the right thing (calling back) but didn’t. It’s a good example of how everyone has blind spots — someone who knows how to check DKIM but trusts caller ID!
Which is kinda funny because in modern tech orgs the Security team is often seen sending out test phishing attempts to see if employees fall for it and then roll out mandatory security training courses for all employees, and this approach is apparently widely hated.
It’s hard to put it all in one category. That kind of training can vary widely in quality. It also depends on what follows - is it a result for the IT to work on, or a scapegoating opportunity for management.
You probably (and hopefully) don’t intend this as hurtful or shaming, but reactions like this are precisely why stories like these often remain untold, allowing scammers to stay under the radar longer.
Almost no one is inherently stupid but everyone does stupid things occasionally.
There’s a lot of psychological bias at play here. When it happens to you, it’s bad luck, or maybe you weren’t thinking clearly for some reason. When it happens to someone else, it’s easy to think they’re stupid. But I don’t think that’s always valid. I consider myself pretty intelligent, but I’ve done some pretty stupid shit – usually when tired, emotional, or distracted. Scammers are aware of this and exploit it by creating distractions. Telling someone their Google account has been compromised can push them into a panicked “I need to act now” state.
Sorry, I was too mean in the original post. Appreciate the message on this.
My thought was a bit more about how the specific knowledge that leads to you to do the whole “look up the phone number and ask them questions” things … it feels like if you would have the knowledge that Google would not call you in an unprompted manner, like ever. And perhaps “I almost fell for it” is stylized, given how they seemed to have so much suspicion from the get go.
And hey, “Google will never call you”… but …. maybe this one time is true! It’s an easy thing to think.
I am fascinated that I have on several occasions been phoned by Microsoft Support. The real Microsoft Support, no scam involved. I sent in a support question using their form, asking for how to do something with appsource, and I thought it annoying that they required my phone number and then not much later some guy with an Indian accent actually called me and told me that sorry we don’t have that feature and I apologize so very much but here are some workarounds. You’d think Microsoft would stop doing this kind of thing to avoid people getting tricked into thinking it’s them when it’s the scammers.
Another reason I just never answer my phone.
Step 1 was obviously a red flag for them too, but the scammers managed to evade all reasonable attempts at exposing the origin of the call as a scam.
Our default human instinct is to trust that people are telling us the truth. Unless we are already primed, thoughts of deception are usually a secondary follow-on thought.
It’s a lot like cults. Everyone thinks “I’d never join a cult”, but the truth is that the potential exists in everyone. This is an always-open attack surface, for even the most security savvy tech person, and if we’re honest, the sophistication of these attacks has really ramped up in the last few years. The “herd immunity” has not really caught up.
The part I take exception is to the line “[I followed the best practices] of verifying the phone number”. The best practice is not to verify to phone number. The best practice is to is not take action on any contact you yourself have not initiated, and this difference is why this measure failed to protect him. If he had ended the call, called the verified number*, and then gotten agents to look up his ‘case’, that would have revealed the deception.
*(yes, I know that getting a hold of google is difficult)
Scammers get a lot of mileage now by hiring people who “sound white” to read scripts as a work-from-home job.
Hello, disruptive AI tech industry? Can you make an, uh, “software agent” that sounds white please?
Could someone explain to me what happened in steps 8 and 9?
Was it that someone had his password and was trying to get him to put in the 2FA code after they had used his password?
On iOS, at least, the gmail app also serves as kind of a 2FA mechanism. When you try to log in to your google account from a new device, there’s a flow that’s something like this:
(Github also uses their mobile app in this way, more or less, on iOS)
I assume the attackers in the write-up weren’t going through the user/pass login flow, so Google must also use a similar workflow to steps 2-4 for other auth workflows besides login? Forgot password or something? Not sure.
AFAICT yes. Google has a challenge mechanism where you get a full screen pop-up on your phone and it asks you to match the number to what you see while logging in. I’ve definitely seen this during 2FA challenges but I don’t know whether it’s used for suspicious login attempts too.
I couldn’t understand that either. Looks like some of it is very google-specific stuff which I’m not familiar with.
Worth noting that it appears Google’s Advanced Protection Program would have prevented this attack from succeeding as long as you kept the security code setting at the default (allow security codes, but disallow remote access).
APP is what I suggest to anyone who asks me what they can do to really lock down their online presence. Put as much of your auth burden onto Google SSO and then enable APP, that’s my advice.
That’s assuming that your threat model does not include Google capriciously revoking your ability to have a Google account, with no recourse. (Unlikely, but not unheard of.)
For targeted users I agree this is often the right choice though.
Really looking forward to everyone moving on to passkeys so this nonsense can be over.
This phishing attack used an account recovery flow which passkeys can’t protect.
With passkeys as the login method the account recovery flow would typically be an emailed magic link, which would make this trick impossible.
Aren’t magic links equally applicable to passwords and passkeys? Wouldn’t a magic link instead of the two digit challenge have stymied this phishing attack against this non-passkey account? So the magic link would have helped but passkeys would have been irrelevant.
This phishing attack was just trying to get the victim to provide the second factor so Google would validate the attacker’s login attempt. This means the attacker already had the first factor ie the password. That would be basically impossible if a password didn’t exist and the credential was a device-bound passkey.
So yes, while password + magic link would stop the attack at the second stage, passkey would not have allowed it to get to that stage.
The issue (if it wasn’t made up) was about a potentially compromised account, already accessed from another location. You can’t use links received by email in that case, because they can be intercepted/changed on the fly.