Zach Latta, a programmer at Google, found himself in the crosshairs of cybercriminals adept at phishing. As he explains in a post published on GitHub, he was the target of the most sophisticated phishing attack that he has "ever seen". The computer scientist almost fell for it.
It all starts when a young woman, who calls herself Chloe, makes a phone call to the programmer. The call comes from the phone number 650-203-0000, which is used by Google Assistant for automated calls, including for booking appointments in the United States. On the other end of the line, she pretends to be an employee of Google Workspace, a suite of cloud tools and services developed by Google for businesses, schools and organizations.
A well-crafted scam
She claims that someone recently tried to log into Zach Latta's account near Frankfurt, Germany. The alleged employee assures that the Google account has been temporarily blocked. At that point, the programmer had doubts about the identity of his interlocutor.
To verify her identity, he asked her to send an email from an official Google address. The so-called ChloƩ was able to comply with his request by sending him an email containing a case number. The email seemed in all respects genuine. It was even sent from workspace-noreply@google.com, which makes it look like the email is from Google.
In the subject line of the email, he notices the URL “g.co.” After some research, Latta realizes that “g.co” is an official Google URL, confirmed by the company itself and even has its own Wikipedia page. It is used as a URL shortening service for links to Google sites and services. Here again, the hackers managed to make the trap almost imperceptible.
On the phone, Chloe asked the programmer to do a “session reset” on her device. Reluctantly, he started searching the Google Workspace logs for a connection attempt in Germany. In vain. After claiming a bug, the caller disconnected the call.
In extremis
The story doesn’t end there. Zach Latta then receives a phone call from an individual named Solomon, who presents himself as Chloe’s manager. He claims that her account is “probably compromised by a Chrome ad-blocking extension that was hijacking Gmail credentials”. He asks the developer to log out of all devices and reset her password:
The fake manager guides Zach Latta through the password reset process, and even provides him with the two-factor authentication code provided by Google. Apparently, the hacker was able to generate a two-factor authentication code in order to trick the target. He encourages Latta to use the code. As the programmer explains, this maneuver would have given full access to the account to his interlocutor.
After realizing that it was a hacking attempt, Zach Latta began asking questions. The scammer preferred to disconnect the call, aware that he had been unmasked. According to the Google developer, it only took one click for his account to be compromised.
Google forced to strengthen its defenses
Following this very convincing offensive, Google conducted an investigation. The group realized that the criminals used an "unverified Workspace account" and compromised "to send deceptive emails". According to Hack Clubbers researchers, the scammers also took advantage of "a flaw in Google Workspace that allows you to create a new workspace using any subdomain of g.co and send certain emails without verifying domain ownership."
As a Google spokesperson explained to TechRadar, the incident has prompted the Mountain View company to review some aspects of its security. While it found "no evidence that this was a large-scale attack", Google has strengthened "its defenses against attackers by using g.co credentials during sign-up to improve user protection."
Google will now use specific information related to g.co to strengthen security when a new user or organization signs up for Google Workspace. Until now, it was possible to create a fake Google Workspace organization using a g.co subdomain and send emails without proof of ownership. Now, Google is adding an additional check during signup to ensure that only authorized people can use these subdomains. The spokesperson also reiterates that “Google will never call you to reset your password or troubleshoot account issues.”
Source: Github
0 Comments