Google says it’s now hardening defenses against a sophisticated account takeover scam documented by a programmer last week.
Zach Latta, founder of Hack Club, told of how close he was to succumbing to voice phishers who attempted to take over his Google account.
He said: “Someone just tried the most sophisticated phishing attack I’ve ever seen. I almost fell for it. My mind is a little blown.”
The scammers called Latta, who’s based in Vermont, claiming the Google Workspace team spotted an unusual login attempt from Frankfurt and that he needed to reset his account password.
The call came from 650-203-0000 (a genuine number associated with automated Google Assistant calls) and a “Google” caller ID. The scammer used the name Chloe and spoke with a native American accent over a crystal clear-sounding line. Aside from Google making the call initially, all seemed well at first.
Latta remained suspicious though and asked for a genuine email sent from a Google domain to confirm the authenticity of the call. That email came from an unspoofed workspace-noreply@google.com address and even after asking if he could call the number back, Chloe seemed unfazed and said “sure,” although that was enough to prevent Latta from actually doing so.
The scam started unraveling after Chloe’s manager, “Solomon,” another American accented individual, took over the call and gave information that conflicted with that given by his colleague. One saving grace was that he was able to provide the genuine 2FA number-matching code that appeared on Latta’s device.
To a non-techie, that would likely be enough to convince a victim that it was a genuine Google staffer on the line, but Solomon’s encouragement to press the right number was the final red flag before fully determining this was a scam.
“The thing that’s crazy is that if I followed the two ‘best practices’ of verifying the phone number and getting them to send an email to you from a legit domain, I would have been compromised,” Latta wrote.
“I understand how they were able to spoof the ‘Google’ phone call through Google Assistant, but I have no idea how they got access to important.g.co [since] g.co is a legitimate Google URL.
“[I was] literally one button press from being completely pwned. And I’m pretty technical!”
The use of g.co is crucial here. The scammer creates a Google Workspace using a g.co subdomain. G.co is a genuine Google subdomain and anyone can create a new Workspace using a g.co subdomain without having to verify that they own it.
The scammers then create an account for the victim using the Workspace and send a password reset email which comes from Google itself as is normal for a Workspace account.
A Google spokesperson told The Register: “We’ve suspended the account behind this scam, which abused an unverified Workspace account to send these misleading emails.
“We have not seen evidence that this is a wide-scale tactic, but we are hardening our defenses against abusers leveraging g.co references at sign-up to further protect users.”
As a reminder, Google will not call users to reset their passwords or troubleshoot account issues, so feel free to treat any incoming calls as the garbage they are.
A broader issue
Some of the details of Latta’s case align with similar tales of woe, like one told by venerable infosec journalist Brian Krebs in December about a Google account takeover that led to a half-million-dollar crypto raid.
Someone purportedly from Google support called Adam Griffin from the same 650-203-0000 number but this time it was Google Forms that was abused rather than the g.co domain.
The Google Forms trick is a few years old now, but it’s still a convincing tool that will flummox many victims. It abuses a feature of Forms that allows attackers to send fake emails such as account compromise warnings from Google, but from a genuine Google domain that’s more likely to not get picked up as spam.
On the other end of the phone was an American-accented individual, just like in Latta’s case, who was able to guide Griffin through the account recovery process. They knew when certain popups would appear in the Gmail app, for example, also like in Latta’s case with the number matching.
Of course, both were initiated by the scammers themselves, but again – these would likely be enough to convince the non-technical crowd of the call’s “authenticity.”
Similar scams are also hitting Apple users now too, as Krebs noted earlier this month, and the recent cases serve as constant reminders of how important it is to educate the masses about scammers’ tradecraft.
They’re also great adverts for more modern solutions to phishing such as passkeys, the popularity of which has ballooned in the last year with the likes of Microsoft warning all users will eventually be forced into using them. Likewise, Google is a huge proponent of them too. ®