A phishing attack involving g.co, Google's URL shortener
81 comments
·January 24, 2025hombre_fatal
gleenn
So so true. 1Password refusing to auto fill a password has saved me multiple times in the past! Also, one of my friends has a PhD in literally rocket science (aeronautical engineering from MIT) and got scammed by someone who stole his brother's SIM card and did some shenanigans. No one is safe, no matter how smart or tech savvy you think you are! For the less tech savvy folks, I understand why they are scared, it's hard to give them even general tips to not lose the farm to fraudsters.
paranoidrobot
The general advice I give is:
Don't trust incoming calls, text messages or emails.
Don't trust caller ID on your phone.
If someone calls you asking for information or to do something, ask for a case id or reference number. Hang up, call back on a number you get from a previous bill, back of your credit card, or by googling the company.
If anyone is pushing for something to be done urgently, stop. Hang up, don't take any action. Call a trusted other person and talk to them about it.
snypher
>by googling the company
And remember it's going to be the 4th or 5th link down, not the first.
jrib
I really wish phones would change the UI to make it more obvious that caller ID shouldn't be trusted.
hn_acc1
I know that "rocket scientist" has been a standin for "smart person" or "genius", but in this case, I would be more surprised if a computer security expert (various job titles) had been scammed, because it's their job to be up on this stuff.
How often does a rocket scientist deal with computer viruses, or phishing emails, etc compared to a security expert? Most of the time, their IT security expert (ideally) stops it before it gets to them..
gleenn
I may be more qualified then, I work in fraud. I accidentally called a fake airline number to get a refund for a Delta ticket and happily gave the guy my credit card for some such fee. If requiring a credit card fee to get a refund isn't a red flag, I don't know a better one. To be fair, my sister had found the number and three way joined me in because I was helping her buy the ticket. So an extra rule: don't even trust a phone number someone you know found because /they/ might have been the first victim and passing compromised information to you.
megablast
> that even the smartest of us Hacker News users
Well, ok then.
kilroy123
Extremely scary. This is way above and beyond most phishing attacks. Obviously, this guy is being targeted for some reason or another. I worry about such attacks being automated at scale with AI tools.
nemothekid
I'm not sure if it's good thing or not but I've come to consider that any notification about a password being reset or a fraudulent charge is phishing unless I initiate some action.
I always verify that I'm actually fucked and then take action. This seems counter-intuitive but the deluge of phishing emails makes me feel this is the safest option. I'd rather wait to notice a fraudulent charge and dispute it, than leak info to a random SMS number that claims (possibly truthfully) that someone in Japan spent $9000 at the gucci store.
ronnier
Agreed. I do not follow any links, accept calls, etc. I go to the site of origin and do what I need. Also be careful if you search for the sites name on Google, still might click a fraud site!
do_not_redeem
As usual this started with an incoming phone call. If you ever receive a phone call from a tech company, it's a scam. The caller ID doesn't matter. The caller's accent (wtf) doesn't matter either. It's a scam.
ripped_britches
Not if you’re an app developer on their platform, they make outbound calls to you. I’m sure there are other situations as well.
do_not_redeem
If the consequences for letting that call go to voicemail are any less severe than full account takeover by a script kiddie, you're still better off never picking up.
Google in particular is famous for making it impossible to contact a human. If Google calls you, before picking up, consider whether you truly believe you're lucky enough to be one of a handful of people in the world to ever get human support from them.
lolinder
You still always assume an incoming call is a scam no matter what. Hang up, look up, call back, in that order.
Very occasionally you might be making some poor customer support person's job harder, but the vast majority of the time you'll be hanging up on a scammer. You can be polite about it, but firm and brief. "It's my policy to always call back no matter what, nothing personal."
dawnerd
The problem is verifying which number is correct. In most cases it's pretty easy. Bank? Call the number on a debit card. Google? Good luck even finding their number.
But I do agree with you. They can leave a message and a way to contact back if its important and I can take my time doing research. The urgency part is what's caught so many high profile people off guard.
nodamage
For what purpose do they make these calls?
hbn
> The caller's accent (wtf)
You don't have to pretend to be confused.
The industry of Indian scam call centers is not a crazy conspiracy invented by racists.
quesera
> The industry of Indian scam call centers was not invented by crazy racists.
Nor was the industry of Indian legitimate call centers.
You cannot glean any useful signal of legitimacy from the caller's accent.
That's the WTF.
TheRealSteel
Almost all scam calls originate in India. It's absolutely an indicator.
moi2388
As if official Indian tech support is not a scam..
zb3
However, now we have AI, so you shouldn't assume the call is safe if the accent matches either...
null
layman51
This is the same type of phishing attack described here[1]. It’s still surprising to me how the SPF, DKIM, and DMARC all pass. If I remember correctly, it’s because they actually have a clever way od getting Google to send an email to you by sharing a Google Form with you or something like that.
ArkaneMoose
Based on the text at the bottom of the gist:
> Hack Clubbers have determined that this is almost definitely a bug in Google Workspace where you can create a new Workspace with any g.co subdomain and get it to send some emails without verifying that you own the domain.
Seems like this is the flow:
1. Create a Google Workspace with a g.co subdomain. Apparently this is not verified, or verifying the domain is not necessary for the next steps.
2. Create an account for the victim under this Google Workspace.
3. Reset that account's password.
The victim gets an email from Google Workspace informing them that their password was reset. And this email is a real, legitimate (not spoofed) email from Google because it's just a result of the normal password reset process for a Google Workspace account.
ElijahLynn
We have all this verification on the Web, but not the phone. Why do telcos allow for spoofing? We wouldn't allow that with email. Is this a technical limitation that allows for spoofing?
0xDEAFBEAD
Yep. Look at the screenshot. It seems they managed to trigger one of Google's standard password reset emails.
aramsh
What's even more interesting is there is no DNS records for important.g.co, which means they have found a way to create an Google Workspace without verifying the domain but still able to send emails like password resets.
It's definitely a glitch where you can send emails/transactional emails from an unverified Google Workspace. My guess is that their are protections for google.com and google domains but they forgot to add the g.co domain, which allows unverified sending to g.co and creation of workspaces.
pavel_lishin
I know it's easy to second-guess someone after they've explained that they're describing a scam, but:
> The thing that's crazy is that if I followed the 2 "best practices" of verifying the phone number + getting them to send an email to you from a legit domain, I would have been compromised.
He didn't follow the first of those best practices. He just looked up a phone number that the caller also read out to him, and didn't call it. And "Solomon" also explicitly told him he couldn't call.
I honestly think that at this point, no incoming phone call can ever be trusted.
lolinder
I don't even know where the idea that those are the best practices came from.
The phone number best practice has always been constructed as "call them back at a known good number, preferably one written on paper or on your card". You certainly don't ask them to show you where on the company website the phone number is listed.
And asking the person on the phone with you to send you an email from a specific domain is likewise not something I've ever seen recommended: that's one of several things you check to see if an email is phishing (And only one of several! A good domain isn't enough to clear an email!) But if you're already on the phone with someone suspicious, the best practice has always been to get off the phone with them immediately and call a known number, not to ask the caller to prove themselves.
None of this is to blame OP for misunderstanding, it's just very clear that we need to do better at communicating these rules out to the world.
superq
But, if it is listed on the company website, then..
But you're right: simply say "given that this is a sensitive security matter, thank you for the heads up. Don't call me, I'll call you (click)"
bryanrasmussen
>But, if it is listed on the company website, then..
I'm sorry I'm going to have to call you, instead of you calling me
Of course, the company phone number is right in the footer of the website.
-- goes to open website from last email sent from company, goes to colnbase.com.
numbsafari
> no incoming phone call can ever be trusted.
They can't. And they haven't been for a while. Spoofing phone calls is simply too easy, and nothing is being done to fix that, despite the fact that it puts so many of us at risk. It's not an insurmountable problem, technologically. It is literally a lack of will and outcry from ordinary people, despite how often this fact is used to abuse so many.
Credit Card companies have known this for a long time. My credit card company will call and say "do not call back to this number, call the number on the back of your card and use this reference number".
That should absolutely be the norm at this point.
BobaFloutist
Telecoms know if a number is spoofed or not. All I want is for them to wholesale steal the original Twitter "verified" check, and use it to confirm that a call is not spoofed.
HeatrayEnjoyer
The originating provider knows, but do providers downstream know? If AT&T receives a call from $MadagascarPhoneCorp who indicates the call is officially from $IndiaPhoneCorp, can AT&T trust that?
jrib
They should also display something indicating it is not verified when it is not
umanwizard
My iPhone (on Verizon) already does this.
ksala_
I'd argue the second one was not followed either. Maybe I'm misunderstanding the article, but I would not take a random "your password has changed" as proof. I would need the caller to send me an actual email from their personal work email address (or ticket system?) with some actual, human communications in it.
gm678
What I'm most curious about is how they were able to spoof the email being sent from `workspace-noreply@google.com`. Given the odd phrasing of 'password for important.g.co', perhaps this is some strategy involving creating a 'parallel' account with the same email and making use of it to send an official-looking email as part of the scam?
zerocrates
Most likely they did something like sign up for "important.g.co" in Workspace, then added the target as a user, then reset that user's password, causing Google to send a real, verified, from-Google message.
They can't control the contents of the message, but they used the gmail "+" feature to cram the "case ID" onto the target email they created the Workspace account for, making that seem real.
markerz
But how did they MITM the verification code? Was the first two presented to the attacker, and the rest was presented to the email? Or were they able to MITM the whole email/code and just shared the first two to gain trust?
Spoom
This sounds like they were using the "tap a button on your device" 2FA method (see https://support.google.com/accounts/answer/7026266). Not sure of the details as to how they got to that page in the first place, though the docs say that you can potentially use it to recover your account.
Never trust an incoming call, especially if it's talking about authentication problems you didn't know you had.
Googler, opinions my own (and I'm not an expert in this particular space).
renewiltord
When you use a device to do 2FA, Google will display one code on the logging in device screen and three on the 2FA screen. This is so that the user doesn't just blindly hit accept on the Gmail/YouTube app that hosts the 2FA prompt.
rvnx
It would be better if Google would react more strongly to such attacks.
-> There is a sophisticated one where you can take over an account via the Account Recovery flow, that is still actively abused; tried to report, got "not a bug, triaging as abuse risk"
blevinstein
Sounds really similar to my experience a few months ago. I commented here about it.
https://www.reddit.com/r/googleworkspace/s/NtJpputXtg
There was something in Google workspace that allowed the scanners to have an email sent to them, AND an additional and of their choice. But when I asked about calling them back, I was told that wasn't possible, which made me suspicious.
sethops1
> Someone named "Chloe" called me from 650-203-0000
Nope. Rule #1 in today's environment is never pick up the phone. If you're not expecting the call they can leave a message. And if it's something you think is legitimate, get the authentic number from a reputable source.
adrr
How did they send an email from google.com that passed DKIM and SPF? Thats a huge concern.
jorams
It's specifically a password reset email. A Google Workspace admin can send a password reset to any of their users, and it will pass DKIM and SPF. The trick here is that apparently you can sign up for Workspace with a g.co subdomain and, without verifying the domain, can trigger a password reset to be sent.
layman51
I’m still a bit confused around how they sent him the email. Maybe they added him to the Google Workspace as a member?
jorams
Yeah they did. They added his email as a secondary email to a Google Workspace user account, with the plus-address-suffix including a "Case ID". Then they reset the password of the user account, triggering this notification.
The biggest scare I've gotten is somehow ending up on "colnbase.com" (instead of "coinbase.com").
It's defunct now, but at the time it was a 1:1 replica of Coinbase. And the only reason I noticed was because 1Password didn't offer to fill in my credentials.
While knowing someone's email/password combo might not be enough for an attacker to do anything malicious on Coinbase itself (due to email re-verification maybe), the point is that even the smartest of us Hacker News users can fall for it. And that should scare the rest of us.