g.co, Google's official URL shortcut (update: or Google Workspace's domain verification, see bottom), is compromised. People are actively having their Google accounts stolen.
Someone just tried the most sophisticated phishing attack I've ever seen. I almost fell for it. My mind is a little blown.
-
Someone named "Chloe" called me from 650-203-0000 with Caller ID saying "Google". She sounded like a real engineer, the connection was super clear, and she had an American accent. Screenshot.
-
They said that they were from Google Workspace and someone had recently gained access to my account, which they had blocked. They asked me if I had recently logged in from Frankfurt, Germany and I said no.
-
I asked if they can confirm this is Google calling by emailing me from a Google email and they said sure and sent me this email and told me to look for a case number in it, which I saw in the email string. I asked why it said important.g.co and she said it was an internal Google subnet.
OK, so that can't be from a google.com email, right? It must be a spoofed email using g.co, which doesn't have DKIM / SPF turned on - right? Nope.
You can download the original email here.
But wait - important.g.co must be an unofficial URL. This must be similar to the Google Docs phishing attack, right?
No - g.co is an official Google URL, and Google even says so! (there's also a Wikipedia)
-
I asked if I could call back a phone number listed on Google.com and she said sure - this number is listed on google.com and you can call back with your case number, but there may be a wait on hold and I might get a different agent. I googled it and sure enough, it was listed on google.com pages. I didn't call back though.
-
I said OK: what do you want me to do? She said we could do the sessions reset entirely from my devices and she wouldn't need any info from me. So I said sure, let me know how to. Then I realize I should check the Google Workspace logs and didn't see any login attempts from weird IPs. I asked her where I could find the attempt they were talking about and she gave me detailed instructions and said it's strange it's not showing up, and maybe it'll show after the caches reload. She offered to transfer me to a manager. I declined.
-
We talked further for maybe 5 minutes as I was looking through my Google Workspace logs trying to find anything, then the call dropped mid-sentence while she was talking. Then I got a call back 30 seconds later from "Solomon", her manager, saying he heard I was having trouble navigating the Google Workspace admin logs and could show me.
-
We went back and forth, he explained the account was probably compromised through an adblocker Chrome Extension that hijacked the Gmail credentials.
-
As we talked, he said a few things that made me more suspicious. I then asked him to show me where on Google.com I could find this phone number and he had me type out https://support.google.com/business/answer/7690269?hl=en, which sure enough has it - though it's listed under "Google Assistant". Suspicious. I asked if I could call the number back, and he said no - which different from what "Chloe" said. Suspicious.
-
I then said "sure, let's reset the account" to see what he wanted me to do. Then he said OK - open up Gmail on your phone and let me show you how to log out all other active devices before you reset your password so the Frankfurt computer will get logged out.
-
He then said: OK, I just sent a reset code to you. It should pop up on your screen and say "84", which sure enough 84 was one of the 3 codes displayed. He said just tap it, then all sessions besides your phone will be signed out. That would have given him access to my account!
-
Then I started recording the call when I was certain this was a phishing attempt. Here is the call recording for the last 7 minutes. Note: my iOS device played a recording notification to him when this started recording.
-
He had me load up "his" LinkedIn account to verify who he was and that he worked at Google. Then he eventually sent me a super scammy 2 factor text code and hung up on me after I asked more questions about how they did this.
The thing that's crazy is that if I followed the 2 "best practices" of verifying the phone number + getting them to send an email to you from a legit domain, I would have been compromised.
I understand how they were able to spoof the "Google" phone call through Google Assistant, but I have no idea how they got access to important.g.co. g.co is a legitimate Google URL.
Literally 1 button press from being completely pwned. And I'm pretty technical!
– Zach
Hack Clubbers have determined that this is almost definitely a bug in Google Workspace where you can create a new Workspace with any g.co subdomain and get it to send some emails without verifying that you own the domain.
Screenshot from @EerierGosling. Also thanks to @aramshiva, @recursiveforte, @smashmaster0045, @YodaLightsabr, and @EerierGosling for their help.
heyarviind wrote:
I agree that this targets mostly non-tech savvy people, but even more tech-savvy people may fall victim.
After I wake up, my brain is not fully "active" yet and I tend to do stupid things, not paying attention or
paying less attention. So I tend to make more mistakes early; and also when I am very tired and sleepy,
so we should also keep in mind that smart people do silly mistakes. Some people accidentally put their
keys in github repositories too. To err is human, even for people who think they are very clever - even
if they are not the primary target group for phishers and scammers usually.