[HN Gopher] A phishing attack involving g.co, Google's URL short...
___________________________________________________________________
A phishing attack involving g.co, Google's URL shortener
Author : zachlatta
Score : 164 points
Date : 2025-01-24 03:38 UTC (19 hours ago)
(HTM) web link (gist.github.com)
(TXT) w3m dump (gist.github.com)
| aramsh wrote:
| What's even more interesting is there is no DNS records for
| important.g.co, which means they have found a way to create an
| Google Workspace without verifying the domain but still able to
| send emails like password resets.
|
| It's definitely a glitch where you can send emails/transactional
| emails from an unverified Google Workspace. My guess is that
| their are protections for google.com and google domains but they
| forgot to add the g.co domain, which allows unverified sending to
| g.co and creation of workspaces.
| gm678 wrote:
| What I'm most curious about is how they were able to spoof the
| email being sent from `workspace-noreply@google.com`. Given the
| odd phrasing of 'password for important.g.co', perhaps this is
| some strategy involving creating a 'parallel' account with the
| same email and making use of it to send an official-looking email
| as part of the scam?
| zerocrates wrote:
| Most likely they did something like sign up for
| "important.g.co" in Workspace, then added the target as a user,
| then reset that user's password, causing Google to send a real,
| verified, from-Google message.
|
| They can't control the contents of the message, but they used
| the gmail "+" feature to cram the "case ID" onto the target
| email they created the Workspace account for, making that seem
| real.
| markerz wrote:
| But how did they MITM the verification code? Was the first
| two presented to the attacker, and the rest was presented to
| the email? Or were they able to MITM the whole email/code and
| just shared the first two to gain trust?
| Spoom wrote:
| This sounds like they were using the "tap a button on your
| device" 2FA method (see
| https://support.google.com/accounts/answer/7026266). Not
| sure of the details as to how they got to that page in the
| first place, though the docs say that you can potentially
| use it to recover your account.
|
| Never trust an incoming call, especially if it's talking
| about authentication problems you didn't know you had.
|
| Googler, opinions my own (and I'm not an expert in this
| particular space).
| renewiltord wrote:
| When you use a device to do 2FA, Google will display one
| code on the logging in device screen and three on the 2FA
| screen. This is so that the user doesn't just blindly hit
| accept on the Gmail/YouTube app that hosts the 2FA prompt.
| valleyer wrote:
| A one in three risk of hitting the wrong button still
| seems insanely high to me. Why is this 2FA method
| deployed instead of things like "enter the code here"?
|
| (I know it wouldn't necessarily have stopped this
| phishing attempt.)
| rekabis wrote:
| > I asked if I could call back a phone number listed on
| Google.com and she said sure - this number is listed on
| google.com and you can call back with your case number, but there
| may be a wait on hold and I might get a different agent. I
| googled it and sure enough, it was listed on google.com pages. I
| didn't call back though.
|
| This is where a big mistake is. Always, _ALWAYS_ phone or contact
| back using the company's official channels. Because if they have
| sufficient info about you, scammers can make a call sound hella
| legitimate, but one thing they still cannot do is pick up the
| company's phone for them when you phone in. Especially if you
| call from a hardline, which requires compromising the phone
| company's switching equipment.
|
| Even my father, nearly 86 with a 5th grade education and slowly
| sliding into dementia, knows better than to uncritically accept
| being directly contacted. He's already short-circuited several
| scams (of various types) in the last few years by hanging up and
| phoning back in himself.
| jrochkind1 wrote:
| > Especially if you call from a hardline,
|
| I have no idea where I'd find one of those.
| philipwhiuk wrote:
| Yeah.
|
| In reality the number your phone carrier provides is basically
| a guess. It does in no way guarantee who is calling you.
| pests wrote:
| This used to not be safe though, in the age of landlines.
|
| I forget the details, but most of the country was wired in a
| manner that both parties of a call had to hang up to end the
| connection.
|
| You might hang up, go find the official phone number, but when
| you pick the phone off the cradle you would still be in the
| previous call. They could fake the dial tone and you would be
| none the wiser.
|
| I remember pranking friends with this back when I was young.
| Harmless stuff.
| quesera wrote:
| I think this was in crossbar switches. The initiator of the
| call had to hang up for something like 8 seconds.
|
| This was useful if they called you and you answered in the
| kitchen, but wanted to run to another room to talk. Not that
| I think it was designed to be a feature! But I used it that
| way.
|
| If you didn't trust the caller, you could hang up, wait 10
| seconds, then get a good clean real dial tone. Remember dial
| tones?
|
| Anyway none of this is relevant in modern switching systems,
| much less cellular networks.
| insane_dreamer wrote:
| > This is where a big mistake is. Always, ALWAYS phone or
| contact back using the company's official channels.
|
| The problem, and the reason why that scam approach works half
| the time, is that calling back is a huge PITA these days
| between 1) endless routing menus or some "smart" AI bot that is
| f*ing useless (seriously, I have never been helped to my
| satisfaction by one of those), 2) long long long hold times to
| get to a human, if you ever do, because every single company is
| always "expecting greater than usual call volumes" -- wtf? call
| volume distributions are Gaussian, ok? so adjust accordingly.
| pavel_lishin wrote:
| I know it's easy to second-guess someone after they've explained
| that they're describing a scam, but:
|
| > _The thing that 's crazy is that if I followed the 2 "best
| practices" of verifying the phone number + getting them to send
| an email to you from a legit domain, I would have been
| compromised._
|
| He _didn 't_ follow the first of those best practices. He just
| looked up a phone number that the caller also read out to him,
| _and didn 't call it_. And "Solomon" also explicitly told him he
| _couldn 't_ call.
|
| I honestly think that at this point, no incoming phone call can
| ever be trusted.
| ksala_ wrote:
| I'd argue the second one was not followed either. Maybe I'm
| misunderstanding the article, but I would not take a random
| "your password has changed" as proof. I would need the caller
| to send me an actual email from their personal work email
| address (or ticket system?) with some actual, human
| communications in it.
| numbsafari wrote:
| > no incoming phone call can ever be trusted.
|
| They can't. And they haven't been for a while. Spoofing phone
| calls is simply too easy, and nothing is being done to fix
| that, despite the fact that it puts so many of us at risk. It's
| not an insurmountable problem, technologically. It is literally
| a lack of will and outcry from ordinary people, despite how
| often this fact is used to abuse so many.
|
| Credit Card companies have known this for a long time. My
| credit card company will call and say "do not call back to this
| number, call the number on the back of your card and use this
| reference number".
|
| That should absolutely be the norm at this point.
| BobaFloutist wrote:
| Telecoms know if a number is spoofed or not. All I want is
| for them to wholesale steal the original Twitter "verified"
| check, and use it to confirm that a call is not spoofed.
| umanwizard wrote:
| My iPhone (on Verizon) already does this.
| HeatrayEnjoyer wrote:
| The originating provider knows, but do providers downstream
| know? If AT&T receives a call from $MadagascarPhoneCorp who
| indicates the call is officially from $IndiaPhoneCorp, can
| AT&T trust that?
| lolinder wrote:
| I don't even know where the idea that those are the best
| practices came from.
|
| The phone number best practice has always been constructed as
| "call them back at a known good number, preferably one written
| on paper or on your card". You certainly don't ask them to show
| you where on the company website the phone number is listed.
|
| And asking the person on the phone with you to send you an
| email from a specific domain is likewise not something I've
| ever seen recommended: that's one of several things you check
| to see if an email is phishing (And only one of several! A good
| domain isn't enough to clear an email!) But if you're already
| on the phone with someone suspicious, the best practice has
| always been to get off the phone with them immediately and call
| a known number, not to ask the caller to prove themselves.
|
| None of this is to blame OP for misunderstanding, it's just
| very clear that we need to do better at communicating these
| rules out to the world.
| superq wrote:
| But, if it _is_ listed on the company website, then..
|
| But you're right: simply say "given that this is a sensitive
| security matter, thank you for the heads up. Don't call me,
| I'll call _you_ (click) "
| bryanrasmussen wrote:
| >But, if it is listed on the company website, then..
|
| I'm sorry I'm going to have to call you, instead of you
| calling me
|
| Of course, the company phone number is right in the footer
| of the website.
|
| -- goes to open website from last email sent from company,
| goes to colnbase.com.
| blevinstein wrote:
| Sounds really similar to my experience a few months ago. I
| commented here about it.
|
| https://www.reddit.com/r/googleworkspace/s/NtJpputXtg
|
| There was something in Google workspace that allowed the scanners
| to have an email sent to them, AND an additional and of their
| choice. But when I asked about calling them back, I was told that
| wasn't possible, which made me suspicious.
| philfreo wrote:
| Can someone explain point #9 in the gist? How'd they know part of
| the two factor code?
| jonas21 wrote:
| The attacker was going through the sign in flow on their own
| computer. In the MFA step, it shows you a number and asks to
| you press the same number on your phone.
|
| There's a screenshot of what this looks like here:
| https://gist.github.com/zachlatta/f86317493654b550c689dc6509...
| jsnell wrote:
| It's not a two-factor code like you're thinking of. That code
| is shown on the sign-in / account recovery page, to whoever
| making that attempt. Then the same value has to be chosen on
| the mobile device that's being used to authenticate that sign-
| in.
|
| The goal isn't to protect against phishing or social
| engineering, but against people accidentally approving a sign-
| in they didn't initiate.
| joshuamorton wrote:
| (specifically, there are "credential stuffing" style sign-in
| attacks where an attacker logs in "suspiciously" at the same
| time as a legit log in, possibly after forcing a log-out,
| hoping you approve both your log in and theirs when you get
| two, or ten pop-ups)
| rvnx wrote:
| It would be better if Google would react more strongly to such
| attacks.
|
| -> There is a sophisticated one where you can take over an
| account via the Account Recovery flow, that is still actively
| abused; tried to report, got "not a bug, triaging as abuse risk"
| arccy wrote:
| unless thinks they own important.g.co, they've just walked past
| some glaring red flags, it doesn't even mention their domain in
| the email.
| do_not_redeem wrote:
| As usual this started with an incoming phone call. If you ever
| receive a phone call from a tech company, it's a scam. The caller
| ID doesn't matter. The caller's accent (wtf) doesn't matter
| either. It's a scam.
| ripped_britches wrote:
| Not if you're an app developer on their platform, they make
| outbound calls to you. I'm sure there are other situations as
| well.
| do_not_redeem wrote:
| If the consequences for letting that call go to voicemail are
| any less severe than full account takeover by a script
| kiddie, you're still better off never picking up.
|
| Google in particular is famous for making it impossible to
| contact a human. If Google calls you, before picking up,
| consider whether you truly believe you're lucky enough to be
| one of a handful of people in the world to ever get human
| support from them.
| lolinder wrote:
| You still always assume an incoming call is a scam no matter
| what. Hang up, look up, call back, in that order.
|
| Very occasionally you might be making some poor customer
| support person's job harder, but the vast majority of the
| time you'll be hanging up on a scammer. You can be polite
| about it, but firm and brief. "It's my policy to always call
| back no matter what, nothing personal."
| nodamage wrote:
| For what purpose do they make these calls?
| hbn wrote:
| > The caller's accent (wtf)
|
| You don't have to pretend to be confused.
|
| The industry of Indian scam call centers is not a crazy
| conspiracy invented by racists.
| quesera wrote:
| > _The industry of Indian scam call centers was not invented
| by crazy racists._
|
| Nor was the industry of Indian legitimate call centers.
|
| You cannot glean any useful signal of legitimacy from the
| caller's accent.
|
| That's the WTF.
| moi2388 wrote:
| As if official Indian tech support is not a scam..
| quesera wrote:
| Support quality is a function of cost, which is a
| function of customer value.
|
| Low-margin businesses will hire low-cost support on
| whatever continent it's available.
| TheRealSteel wrote:
| Almost all scam calls originate in India. It's absolutely
| an indicator.
| zb3 wrote:
| However, now we have AI, so you shouldn't assume the call is
| safe if the accent matches either...
| nemothekid wrote:
| I'm not sure if it's good thing or not but I've come to consider
| that _any_ notification about a password being reset or a
| fraudulent charge is phishing unless I initiate some action.
|
| I always verify that I'm actually fucked and then take action.
| This seems counter-intuitive but the deluge of phishing emails
| makes me feel this is the safest option. I'd rather wait to
| notice a fraudulent charge and dispute it, than leak info to a
| random SMS number that claims (possibly truthfully) that someone
| in Japan spent $9000 at the gucci store.
| ronnier wrote:
| Agreed. I do not follow any links, accept calls, etc. I go to
| the site of origin and do what I need. Also be careful if you
| search for the sites name on Google, still might click a fraud
| site!
| sethops1 wrote:
| > Someone named "Chloe" called me from 650-203-0000
|
| Nope. Rule #1 in today's environment is never pick up the phone.
| If you're not expecting the call they can leave a message. And if
| it's something you think is legitimate, get the authentic number
| from a reputable source.
| renewiltord wrote:
| That's not verifying the phone number. I received a call from
| Chase about a wire. I asked them for a code so I could continue
| the conversation and then looked up the phone number on their
| website and called that and talked through reps till I got to the
| right department.
|
| Caller ID being spoofed is the wrong way to think about this.
| It's just that if someone walks up to you and says "Hey, I'm Jean
| d'Eau and I'm President of the US" you don't think to yourself
| "oh yeah he's definitely President and that's his name".
|
| People can always tell you they're whoever they want to be. You
| can either believe it or go find out if they are.
| adrr wrote:
| How did they send an email from google.com that passed DKIM and
| SPF? Thats a huge concern.
| jorams wrote:
| It's specifically a password reset email. A Google Workspace
| admin can send a password reset to any of their users, and it
| will pass DKIM and SPF. The trick here is that apparently you
| can sign up for Workspace with a g.co subdomain and, without
| verifying the domain, can trigger a password reset to be sent.
| layman51 wrote:
| I'm still a bit confused around how they sent him the email.
| Maybe they added him to the Google Workspace as a member?
| jorams wrote:
| Yeah they did. They added his email as a secondary email to
| a Google Workspace user account, with the plus-address-
| suffix including a "Case ID". Then they reset the password
| of the user account, triggering this notification.
| layman51 wrote:
| This is the same type of phishing attack described here[1]. It's
| still surprising to me how the SPF, DKIM, and DMARC all pass. If
| I remember correctly, it's because they actually have a clever
| way od getting Google to send an email to you by sharing a Google
| Form with you or something like that.
|
| [1]: https://news.ycombinator.com/item?id=42450221
| 0xDEAFBEAD wrote:
| Yep. Look at the screenshot. It seems they managed to trigger
| one of Google's standard password reset emails.
| ArkaneMoose wrote:
| Based on the text at the bottom of the gist:
|
| > Hack Clubbers have determined that this is almost definitely
| a bug in Google Workspace where you can create a new Workspace
| with any g.co subdomain and get it to send some emails without
| verifying that you own the domain.
|
| Seems like this is the flow:
|
| 1. Create a Google Workspace with a g.co subdomain. Apparently
| this is not verified, or verifying the domain is not necessary
| for the next steps.
|
| 2. Create an account for the victim under this Google
| Workspace.
|
| 3. Reset that account's password.
|
| The victim gets an email from Google Workspace informing them
| that their password was reset. And this email is a real,
| legitimate (not spoofed) email from Google because it's just a
| result of the normal password reset process for a Google
| Workspace account.
| yread wrote:
| The business/answers page with the number is about calls from
| Google Assistant and (now?) explicitly says it's not about calls
| from the support. That would be this page
|
| https://support.google.com/business/answer/6212928?hl=en
|
| Disappointingly, it only says how to identify automated calls
| from Google, it doesn't offer a protocol for verifying actual
| humans from Google calling you. Perhaps it happens so rarely you
| can just assume it's not Google.
| internetter wrote:
| To all the people criticizing OP, 5 million people are victims of
| phishing attacks every year. This attack is more sophisticated
| than 99.99% of them. Cut OP some slack.
| quickthrowman wrote:
| > I asked if I could call back a phone number listed on
| Google.com and she said sure - this number is listed on
| google.com and you can call back with your case number, but
| there may be a wait on hold and I might get a different agent.
| I googled it and sure enough, it was listed on google.com
| pages. _I didn 't call back though._
|
| Emphasis mine.
|
| Also, if a human called me and claimed to be working for
| Google, I would laugh heartily and hang up the phone. Google
| doesn't even have call in tech support, why would they call
| _you_ for something as banal as a compromised account?
| superq wrote:
| Admitting one mistake doesn't moot the whole incident, nor
| does it take Google off the hook.
| internetter wrote:
| Again, 5 million people fall for phishing. This attack was
| magnitudes more sophisticated than most. I still get the
| occasional Nigerian prince scam. They still send them because
| it still works. Not all of the people who fall for this are
| stupid. Surely you've made mistakes before.
| nejsjsjsbsb wrote:
| I agree. Easy to Monday morning quarterback opsec but we're
| human and the best fall for stuff all the time.
|
| A non tech person wouldn't know Google has bad support and is
| unlikely to call you, that a number and email can be spoofed,
| etc. And even if 99% didn't fall for it, just 100 calls gets
| the scammer a victim on average.
| throwpoaster wrote:
| URL shorteners are a massive security hazard.
| gruez wrote:
| Maybe, but in this particular case the attack has nothing to do
| with url shortening. The essential elements were google
| assistant (to spoof caller ID), and google workspace (to send
| the "case" email).
| hombre_fatal wrote:
| The biggest scare I've gotten is somehow ending up on
| "colnbase.com" (instead of "coinbase.com").
|
| It's defunct now, but at the time it was a 1:1 replica of
| Coinbase. And the only reason I noticed was because 1Password
| didn't offer to fill in my credentials.
|
| While knowing someone's email/password combo might not be enough
| for an attacker to do anything malicious on Coinbase itself (due
| to email re-verification maybe), the point is that even the
| smartest of us Hacker News users can fall for it. And that should
| scare the rest of us.
| gleenn wrote:
| So so true. 1Password refusing to auto fill a password has
| saved me multiple times in the past! Also, one of my friends
| has a PhD in literally rocket science (aeronautical engineering
| from MIT) and got scammed by someone who stole his brother's
| SIM card and did some shenanigans. No one is safe, no matter
| how smart or tech savvy you think you are! For the less tech
| savvy folks, I understand why they are scared, it's hard to
| give them even general tips to not lose the farm to fraudsters.
| ElijahLynn wrote:
| How is call spoofing allowed by telcos? Is it a technical
| limitation that let's this happen?
___________________________________________________________________
(page generated 2025-01-24 23:00 UTC)