Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
News
Security News
Google’s Subdomain ‘g.co’ "Hacked" – A Tricky Phone Call Lets Hackers Take Over Your Gmail Account
Message
<blockquote data-quote="Wrecker4923" data-source="post: 1116491" data-attributes="member: 110877"><p>The original news I saw was from Cybersecurity news, but the content source, by the original author, has more details.</p><p></p><p>[URL unfurl="true"]https://cybersecuritynews.com/googles-subdomain-g-co-hacked/[/URL]</p><p></p><p><span style="font-size: 18px"><strong>Summary:</strong></span></p><p></p><p>Zach Latta recounts a phishing attempt targeting his Google account. He received a call from "Chloe," who claimed to be from Google Workspace, alerting him to unauthorized access from Frankfurt, Germany. To verify her identity, she sent an email from a "<a href="mailto:workspace-noreply@google.com">workspace-noreply@google.com</a>" address, which included a legitimate-looking subdomain, "important.g.co," with "g.co" being an official Google domain. Throughout the conversation, "Chloe" and her "manager," "Solomon," provided plausible explanations and guidance. The attackers aimed to obtain a one-time authorization from Zach, possibly to gain access to his account. The attacker eventually hung up after Zach became suspicious. Later, Zach discovered that the attackers had exploited a vulnerability in Google Workspace's domain verification, allowing them to send official-looking emails that appeared to come from Google's official address. This incident underscores the increasing sophistication of phishing attacks and the importance of vigilance, even when interactions seem legitimate.</p><p></p><p><span style="font-size: 18px"><strong>Interesting points:</strong></span></p><ol> <li data-xf-list-type="ol">They spoofed a Google Assistant's phone number to call Zach</li> <li data-xf-list-type="ol">They exploited Google Workspace's “weakness” to get Google to send Zach a password reset notification email from a Google official address. SPF/DKIM/DMARC tests were useless. The email body has a Google official domain "g.co" in it.</li> <li data-xf-list-type="ol">They sent him an Authorization notification that shows 3 numbers that he could have selected, telling him to push a specific number that they had. Zach didn't show this screen.</li> <li data-xf-list-type="ol">They eventually sent him an SMS, that for the first time in the conversation, is “obviously” a scam, i.e., using a domain that isn't Google's.</li> <li data-xf-list-type="ol">They exploited Google's processes and workflows that are unfamiliar to people</li> </ol><p><strong><span style="font-size: 18px">Ways you could have caught this scam:</span></strong></p><ol> <li data-xf-list-type="ol">Google doesn't call people on account's breach (???)</li> <li data-xf-list-type="ol">10 digit US phone number is commonly spoofed.</li> <li data-xf-list-type="ol">The sent email subject and body were not relevant to the conversation they were having, even if this may not be obvious in real-time</li> <li data-xf-list-type="ol">They put personal information into the email address used to send Google's official email; they couldn't arbitrarily change the subject line or the email body.</li> <li data-xf-list-type="ol">Selecting a number to authorize transactions should result from your initiating the transaction; otherwise, you can't know what it's for.</li> <li data-xf-list-type="ol">They didn't have detailed info on him, except commonly available info including his name, email address, phone number, and having a Google account</li> </ol><p>I would love to hear more about how you could have spotted this scam.</p></blockquote><p></p>
[QUOTE="Wrecker4923, post: 1116491, member: 110877"] The original news I saw was from Cybersecurity news, but the content source, by the original author, has more details. [URL unfurl="true"]https://cybersecuritynews.com/googles-subdomain-g-co-hacked/[/URL] [SIZE=5][B]Summary:[/B][/SIZE] Zach Latta recounts a phishing attempt targeting his Google account. He received a call from "Chloe," who claimed to be from Google Workspace, alerting him to unauthorized access from Frankfurt, Germany. To verify her identity, she sent an email from a "[EMAIL]workspace-noreply@google.com[/EMAIL]" address, which included a legitimate-looking subdomain, "important.g.co," with "g.co" being an official Google domain. Throughout the conversation, "Chloe" and her "manager," "Solomon," provided plausible explanations and guidance. The attackers aimed to obtain a one-time authorization from Zach, possibly to gain access to his account. The attacker eventually hung up after Zach became suspicious. Later, Zach discovered that the attackers had exploited a vulnerability in Google Workspace's domain verification, allowing them to send official-looking emails that appeared to come from Google's official address. This incident underscores the increasing sophistication of phishing attacks and the importance of vigilance, even when interactions seem legitimate. [SIZE=5][B]Interesting points:[/B][/SIZE] [LIST=1] [*]They spoofed a Google Assistant's phone number to call Zach [*]They exploited Google Workspace's “weakness” to get Google to send Zach a password reset notification email from a Google official address. SPF/DKIM/DMARC tests were useless. The email body has a Google official domain "g.co" in it. [*]They sent him an Authorization notification that shows 3 numbers that he could have selected, telling him to push a specific number that they had. Zach didn't show this screen. [*]They eventually sent him an SMS, that for the first time in the conversation, is “obviously” a scam, i.e., using a domain that isn't Google's. [*]They exploited Google's processes and workflows that are unfamiliar to people [/LIST] [B][SIZE=5]Ways you could have caught this scam:[/SIZE][/B] [LIST=1] [*]Google doesn't call people on account's breach (???) [*]10 digit US phone number is commonly spoofed. [*]The sent email subject and body were not relevant to the conversation they were having, even if this may not be obvious in real-time [*]They put personal information into the email address used to send Google's official email; they couldn't arbitrarily change the subject line or the email body. [*]Selecting a number to authorize transactions should result from your initiating the transaction; otherwise, you can't know what it's for. [*]They didn't have detailed info on him, except commonly available info including his name, email address, phone number, and having a Google account [/LIST] I would love to hear more about how you could have spotted this scam. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
