- Apr 11, 2024
- 53
The original news I saw was from Cybersecurity news, but the content source, by the original author, has more details.
cybersecuritynews.com
Summary:
Zach Latta recounts a phishing attempt targeting his Google account. He received a call from "Chloe," who claimed to be from Google Workspace, alerting him to unauthorized access from Frankfurt, Germany. To verify her identity, she sent an email from a "workspace-noreply@google.com" address, which included a legitimate-looking subdomain, "important.g.co," with "g.co" being an official Google domain. Throughout the conversation, "Chloe" and her "manager," "Solomon," provided plausible explanations and guidance. The attackers aimed to obtain a one-time authorization from Zach, possibly to gain access to his account. The attacker eventually hung up after Zach became suspicious. Later, Zach discovered that the attackers had exploited a vulnerability in Google Workspace's domain verification, allowing them to send official-looking emails that appeared to come from Google's official address. This incident underscores the increasing sophistication of phishing attacks and the importance of vigilance, even when interactions seem legitimate.
Interesting points:
Google’s Subdomain 'g.co' Hacked – A Tricky Phone Call Lets Hackers Access Your Google Account Remotely
Cybercriminals recently exploited Google’s g.co subdomain to carry out a meticulously crafted scam over vishing call.
cybersecuritynews.com
Summary:
Zach Latta recounts a phishing attempt targeting his Google account. He received a call from "Chloe," who claimed to be from Google Workspace, alerting him to unauthorized access from Frankfurt, Germany. To verify her identity, she sent an email from a "workspace-noreply@google.com" address, which included a legitimate-looking subdomain, "important.g.co," with "g.co" being an official Google domain. Throughout the conversation, "Chloe" and her "manager," "Solomon," provided plausible explanations and guidance. The attackers aimed to obtain a one-time authorization from Zach, possibly to gain access to his account. The attacker eventually hung up after Zach became suspicious. Later, Zach discovered that the attackers had exploited a vulnerability in Google Workspace's domain verification, allowing them to send official-looking emails that appeared to come from Google's official address. This incident underscores the increasing sophistication of phishing attacks and the importance of vigilance, even when interactions seem legitimate.
Interesting points:
- They spoofed a Google Assistant's phone number to call Zach
- They exploited Google Workspace's “weakness” to get Google to send Zach a password reset notification email from a Google official address. SPF/DKIM/DMARC tests were useless. The email body has a Google official domain "g.co" in it.
- They sent him an Authorization notification that shows 3 numbers that he could have selected, telling him to push a specific number that they had. Zach didn't show this screen.
- They eventually sent him an SMS, that for the first time in the conversation, is “obviously” a scam, i.e., using a domain that isn't Google's.
- They exploited Google's processes and workflows that are unfamiliar to people
- Google doesn't call people on account's breach (???)
- 10 digit US phone number is commonly spoofed.
- The sent email subject and body were not relevant to the conversation they were having, even if this may not be obvious in real-time
- They put personal information into the email address used to send Google's official email; they couldn't arbitrarily change the subject line or the email body.
- Selecting a number to authorize transactions should result from your initiating the transaction; otherwise, you can't know what it's for.
- They didn't have detailed info on him, except commonly available info including his name, email address, phone number, and having a Google account
