almost_pwned.md

g.co, Google's official URL shortcut (update: or Google Workspace's domain verification, see bottom), is compromised. People are actively having their Google accounts stolen.

Someone just tried the most sophisticated phishing attack I've ever seen. I almost fell for it. My mind is a little blown.

1. Someone named "Chloe" called me from 650-203-0000 with Caller ID saying "Google". She sounded like a real engineer, the connection was super clear, and she had an American accent. Screenshot.

2. They said that they were from Google Workspace and someone had recently gained access to my account, which they had blocked. They asked me if I had recently logged in from Frankfurt, Germany and I said no.

3. I asked if they can confirm this is Google calling by emailing me from a Google email and they said sure and sent me this email and told me to look for a case number in it, which I saw in the email string. I asked why it said important.g.co and she said it was an internal Google subnet.

OK, so that can't be from a google.com email, right? It must be a spoofed email using g.co, which doesn't have DKIM / SPF turned on - right? Nope.

You can download the original email here.

But wait - important.g.co must be an unofficial URL. This must be similar to the Google Docs phishing attack, right?

No - g.co is an official Google URL, and Google even says so! (there's also a Wikipedia)

3. I asked if I could call back a phone number listed on Google.com and she said sure - this number is listed on google.com and you can call back with your case number, but there may be a wait on hold and I might get a different agent. I googled it and sure enough, it was listed on google.com pages. I didn't call back though.

4. I said OK: what do you want me to do? She said we could do the sessions reset entirely from my devices and she wouldn't need any info from me. So I said sure, let me know how to. Then I realize I should check the Google Workspace logs and didn't see any login attempts from weird IPs. I asked her where I could find the attempt they were talking about and she gave me detailed instructions and said it's strange it's not showing up, and maybe it'll show after the caches reload. She offered to transfer me to a manager. I declined.

5. We talked further for maybe 5 minutes as I was looking through my Google Workspace logs trying to find anything, then the call dropped mid-sentence while she was talking. Then I got a call back 30 seconds later from "Solomon", her manager, saying he heard I was having trouble navigating the Google Workspace admin logs and could show me.

6. We went back and forth, he explained the account was probably compromised through an adblocker Chrome Extension that hijacked the Gmail credentials.

7. As we talked, he said a few things that made me more suspicious. I then asked him to show me where on Google.com I could find this phone number and he had me type out https://support.google.com/business/answer/7690269?hl=en, which sure enough has it - though it's listed under "Google Assistant". Suspicious. I asked if I could call the number back, and he said no - which different from what "Chloe" said. Suspicious.

8. I then said "sure, let's reset the account" to see what he wanted me to do. Then he said OK - open up Gmail on your phone and let me show you how to log out all other active devices before you reset your password so the Frankfurt computer will get logged out.

9. He then said: OK, I just sent a reset code to you. It should pop up on your screen and say "84", which sure enough 84 was one of the 3 codes displayed. He said just tap it, then all sessions besides your phone will be signed out. That would have given him access to my account!

10. Then I started recording the call when I was certain this was a phishing attempt. Here is the call recording for the last 7 minutes. Note: my iOS device played a recording notification to him when this started recording.

11. He had me load up "his" LinkedIn account to verify who he was and that he worked at Google. Then he eventually sent me a super scammy 2 factor text code and hung up on me after I asked more questions about how they did this.

The thing that's crazy is that if I followed the 2 "best practices" of verifying the phone number + getting them to send an email to you from a legit domain, I would have been compromised.

I understand how they were able to spoof the "Google" phone call through Google Assistant, but I have no idea how they got access to important.g.co. g.co is a legitimate Google URL.

Literally 1 button press from being completely pwned. And I'm pretty technical!

– Zach

---

Hack Clubbers have determined that this is almost definitely a bug in Google Workspace where you can create a new Workspace with any g.co subdomain and get it to send some emails without verifying that you own the domain.

Screenshot from @EerierGosling. Also thanks to @aramshiva, @recursiveforte, @smashmaster0045, @YodaLightsabr, and @EerierGosling for their help.

You're supposed to actually call back on the number. That's the 'number verification'. Not just "they can read and fake the official support number". You actually call back on the number.
You have no idea who you are actually talking to when someone calls you.

I spoke to "Solomon" a few weeks ago, definitely the same guy. I hate to say that the accent (or lack there-of) is what made me trust them initially.

interesting. although how is g.co "compromised"? it doesn't seem to play any relevant part in the scam.

I spoke to "Solomon" a few weeks ago, definitely the same guy. I hate to say that the accent (or lack there-of) is what made me trust them initially.

It's an unconscious bias that a lot of us are going to have to admit or risk getting fooled in the future -- if we haven't already. I wonder how many people fell for it and still don't know that that wasn't Google who called them. I suspect Solomon and co. are not the type to make it obvious that you've been had.

So, @neontuna, any guesses why they targeted you? Are you an admin for a large corporation?

@and-sanford Thanks for the detailed breakdown! I had a question about the Google Assistant abuse.

To confirm my understanding, are you suggesting that the phishers did the following?

1. Made a fake Google Business Profile that uses Zach's phone number as the business's phone number.
2. Used the Google Assistant as a "customer" would and asked it to call the fake business, which looked like a call from +1-650-203-0000 to Zach.

Customers who find your business using Google Search, Maps or Assistant can ask Assistant to call you on their behalf, for tasks like booking an appointment or checking the wait time for a table at a restaurant.

Now that I type this out, I'm guessing step #1 would've required some sort of phone number verification, though ...

That's attacker-side view. You simply need to press the same number out of three in total on the phone.

Thanks. I've had an ADHD reading comprehension fail. I've somehow assumed that Zach is using a computer+phone screen. I see now it's just phone. And therefore it's the attacker generating the login + MFA request, Zach with the phone (where the MFA is received). Apologies + thanks.

I had the same but I actually feel it’s bad UX: it feeds the confidence in believing the attacker is legit because they see the same info as on your screen. Especially in a high-stress situation like this.

It sounds like the same TA krebs wrote up https://krebsonsecurity.com/2025/01/a-day-in-the-life-of-a-prolific-voice-phishing-crew/

I spoke to "Solomon" a few weeks ago, definitely the same guy. I hate to say that the accent (or lack there-of) is what made me trust them initially.

It's an unconscious bias that a lot of us are going to have to admit or risk getting fooled in the future -- if we haven't already. I wonder how many people fell for it and still don't know that that wasn't Google who called them. I suspect Solomon and co. are not the type to make it obvious that you've been had.

So, @neontuna, any guesses why they targeted you? Are you an admin for a large corporation?

I am the admin for a small workspace, but from what I remember they were trying to get into my personal account. Maybe just due to age? Account has been around for a while.

This was really interesting.

They did a lot of research for a scam. People without technical knowledge will fall very easily for this.

Get some Yubikeys and enable Advanced Protection. Don't use phisable MFA.

Thanks for sharing! Great read.

heyarviind wrote:

People without technical knowledge will fall very easily for this.

I agree that this targets mostly non-tech savvy people, but even more tech-savvy people may fall victim.

After I wake up, my brain is not fully "active" yet and I tend to do stupid things, not paying attention or
paying less attention. So I tend to make more mistakes early; and also when I am very tired and sleepy,
so we should also keep in mind that smart people do silly mistakes. Some people accidentally put their
keys in github repositories too. To err is human, even for people who think they are very clever - even
if they are not the primary target group for phishers and scammers usually.

You should have asked them to send you an RCS text for verification.

The scammer can not own Google's authentic number ....... Stay safe and always ask a lot of questions... scammers hate questions.

And also... the 3 characters code is not strong.
Increase it to 8.

Great post! Found some similarities in this attack with one I just came across today that uses Google sites to host malicious scripts to steal your login.

https://www.linkedin.com/pulse/one-most-convincing-phishing-scam-ive-seen-its-hosted-chris-behar-j9muc/?trackingId=8xopCybXDz8LdUVvGH9VXA%3D%3D