Skip to content

Instantly share code, notes, and snippets.

@zachlatta
Last active February 5, 2025 18:50
Show Gist options
  • Save zachlatta/f86317493654b550c689dc6509973aa4 to your computer and use it in GitHub Desktop.
Save zachlatta/f86317493654b550c689dc6509973aa4 to your computer and use it in GitHub Desktop.

g.co, Google's official URL shortcut (update: or Google Workspace's domain verification, see bottom), is compromised. People are actively having their Google accounts stolen.

Someone just tried the most sophisticated phishing attack I've ever seen. I almost fell for it. My mind is a little blown.

  1. Someone named "Chloe" called me from 650-203-0000 with Caller ID saying "Google". She sounded like a real engineer, the connection was super clear, and she had an American accent. Screenshot.

  2. They said that they were from Google Workspace and someone had recently gained access to my account, which they had blocked. They asked me if I had recently logged in from Frankfurt, Germany and I said no.

  3. I asked if they can confirm this is Google calling by emailing me from a Google email and they said sure and sent me this email and told me to look for a case number in it, which I saw in the email string. I asked why it said important.g.co and she said it was an internal Google subnet.

Screenshot 2025-01-23 at 10 17 41 PM

OK, so that can't be from a google.com email, right? It must be a spoofed email using g.co, which doesn't have DKIM / SPF turned on - right? Nope.

Screenshot 2025-01-23 at 10 22 51 PM Screenshot 2025-01-23 at 10 24 30 PM

You can download the original email here.

But wait - important.g.co must be an unofficial URL. This must be similar to the Google Docs phishing attack, right?

No - g.co is an official Google URL, and Google even says so! (there's also a Wikipedia)

Screenshot 2025-01-23 at 10 47 32 PM
  1. I asked if I could call back a phone number listed on Google.com and she said sure - this number is listed on google.com and you can call back with your case number, but there may be a wait on hold and I might get a different agent. I googled it and sure enough, it was listed on google.com pages. I didn't call back though.

  2. I said OK: what do you want me to do? She said we could do the sessions reset entirely from my devices and she wouldn't need any info from me. So I said sure, let me know how to. Then I realize I should check the Google Workspace logs and didn't see any login attempts from weird IPs. I asked her where I could find the attempt they were talking about and she gave me detailed instructions and said it's strange it's not showing up, and maybe it'll show after the caches reload. She offered to transfer me to a manager. I declined.

  3. We talked further for maybe 5 minutes as I was looking through my Google Workspace logs trying to find anything, then the call dropped mid-sentence while she was talking. Then I got a call back 30 seconds later from "Solomon", her manager, saying he heard I was having trouble navigating the Google Workspace admin logs and could show me.

  4. We went back and forth, he explained the account was probably compromised through an adblocker Chrome Extension that hijacked the Gmail credentials.

  5. As we talked, he said a few things that made me more suspicious. I then asked him to show me where on Google.com I could find this phone number and he had me type out https://support.google.com/business/answer/7690269?hl=en, which sure enough has it - though it's listed under "Google Assistant". Suspicious. I asked if I could call the number back, and he said no - which different from what "Chloe" said. Suspicious.

  6. I then said "sure, let's reset the account" to see what he wanted me to do. Then he said OK - open up Gmail on your phone and let me show you how to log out all other active devices before you reset your password so the Frankfurt computer will get logged out.

  7. He then said: OK, I just sent a reset code to you. It should pop up on your screen and say "84", which sure enough 84 was one of the 3 codes displayed. He said just tap it, then all sessions besides your phone will be signed out. That would have given him access to my account!

  8. Then I started recording the call when I was certain this was a phishing attempt. Here is the call recording for the last 7 minutes. Note: my iOS device played a recording notification to him when this started recording.

  9. He had me load up "his" LinkedIn account to verify who he was and that he worked at Google. Then he eventually sent me a super scammy 2 factor text code and hung up on me after I asked more questions about how they did this.

Screenshot 2025-01-23 at 10 31 53 PM Screenshot 2025-01-23 at 10 33 01 PM

The thing that's crazy is that if I followed the 2 "best practices" of verifying the phone number + getting them to send an email to you from a legit domain, I would have been compromised.

I understand how they were able to spoof the "Google" phone call through Google Assistant, but I have no idea how they got access to important.g.co. g.co is a legitimate Google URL.

Literally 1 button press from being completely pwned. And I'm pretty technical!

– Zach


Hack Clubbers have determined that this is almost definitely a bug in Google Workspace where you can create a new Workspace with any g.co subdomain and get it to send some emails without verifying that you own the domain.

Screenshot 2025-01-23 at 10 48 50 PM

Screenshot from @EerierGosling. Also thanks to @aramshiva, @recursiveforte, @smashmaster0045, @YodaLightsabr, and @EerierGosling for their help.

@dleslie
Copy link

dleslie commented Jan 24, 2025

The first evidence that it was a scam was that you received a call from Google support. Google's lack of customer support is legendary.

@Fijxu
Copy link

Fijxu commented Jan 24, 2025

The fuck

@mcbazza
Copy link

mcbazza commented Jan 24, 2025

That the attacker already knew the MFA code options indicates to me that they're MitM'ing you. They got the MFA, and something (maybe like Evilginx) was relaying it to you, for you to action.
Kudos on realising, stopping, and pulling them up on it. That was a close one.

@sxpso
Copy link

sxpso commented Jan 24, 2025

That the attacker already knew the MFA code options indicates to me that they're MitM'ing you. They got the MFA, and something (maybe like Evilginx) was relaying it to you, for you to action. Kudos on realising, stopping, and pulling them up on it. That was a close one.

The additional MFA code does not necessarily show that author was MitMed - you just have to pick the same code on phone as displayed on the screen.

@mcbazza
Copy link

mcbazza commented Jan 24, 2025

That the attacker already knew the MFA code options indicates to me that they're MitM'ing you. They got the MFA, and something (maybe like Evilginx) was relaying it to you, for you to action. Kudos on realising, stopping, and pulling them up on it. That was a close one.

The additional MFA code does not necessarily show that author was MitMed - you just have to pick the same code on phone as displayed on the screen.

Sure.
See no. 9. How was 'support' telling him which MFA number to click on, unless the attacker could also see it?

@sxpso
Copy link

sxpso commented Jan 24, 2025

That the attacker already knew the MFA code options indicates to me that they're MitM'ing you. They got the MFA, and something (maybe like Evilginx) was relaying it to you, for you to action. Kudos on realising, stopping, and pulling them up on it. That was a close one.

The additional MFA code does not necessarily show that author was MitMed - you just have to pick the same code on phone as displayed on the screen.

Sure. See no. 9. How was 'support' telling him which MFA number to click on, unless the attacker could also see it?

1(1)

That's attacker-side view. You simply need to press the same number out of three in total on the phone.

@mcbazza
Copy link

mcbazza commented Jan 24, 2025

That's attacker-side view. You simply need to press the same number out of three in total on the phone.

Thanks. I've had an ADHD reading comprehension fail. I've somehow assumed that Zach is using a computer+phone screen. I see now it's just phone. And therefore it's the attacker generating the login + MFA request, Zach with the phone (where the MFA is received).
Apologies + thanks.

@sbrawner
Copy link

The first evidence that it was a scam was that you received a call from Google support. Google's lack of customer support is legendary.

LMAO

@Cambi0nn
Copy link

Cambi0nn commented Jan 24, 2025

Sadly, the g.co thing has been a known issue for a while, including that it's used in phising.

The thing that's crazy is that if I followed the 2 "best practices" of verifying the phone number + getting them to send an email to you from a legit domain, I would have been compromised.

The following is not to blame you, phishing is getting worse and worse and even the most simple phishing is getting hits from the best at times. I'm simply typing the following to inform anyone reading this.

You did miss 3 of the most important best practice. Check the mail for suspicious things, always verify by contacting the subject using a different known contact method that you typed yourself, and when anything is needed to check or change: go to the website yourself and login there to do it yourself.

  1. The fact the recovery mail is using a + alias to add a case number is really weird and should raise red flags.

  2. If you had called the number in the second step 3 it would've been clear they never contacted you. And then you would've already skipped the "other" part of it. Using urgency (like telling you how your account is in danger now) and/or discouraging "there may be a wait on hold and I might get a different agent" is a method often used to prevent people from doing this. If you would have done it entirely correct and contacted their customer support trough their website, it would've likely taken a bit longer but they'd told you they didn't contact you as well.

  3. And if you are still worried or even just slightly in doubt, or it takes some time to verify and you simply don't want to take the risks, always simply login to the account and change password and MFA there manually. Never recover stuff trough unsolicited contacts from a support team.

@zodman
Copy link

zodman commented Jan 24, 2025

point this text to callcenter scammer hunters like perogui from payback and nanobiter

@EmosewaMC
Copy link

The first evidence that it was a scam was that you received a call from Google support. Google's lack of customer support is legendary.

this comment should be more than enough for everyone to know its a scam from the phone call 🤣

@and-sanford
Copy link

and-sanford commented Jan 24, 2025

Looking at this closer, I don't think g[.]co is compromised. Instead, I think: The attackers knew your password and, to gain persistent access, needed you to approve an MFA request.

To make it more closely aligned, it seems they:

  1. Submitted a Google Workspace support ticket with the name "Chloe Google Case ID G287687". "Chloe" and the case ID closely match the phone call and lure in the SMS. You can only submit these support tickets if you're logged into your G Admin account, so I hypothesize your account was already compromised to some extent
  2. Abused Google's booking assistant AI to make the call seem legitimate. They then handed you off to the "manager", who had you approve the MFA request.

If my hypothesis is correct, some key takeaways are:

  1. If possible, use phishing-resistant MFA
  2. Consider using a separate account for G Workspace admin activity than your main account (in this case, zach@zachlatta[.]com)
  3. We should all be aware that Google's booking AI assistant can, apparently, be misused by phishers.

ETA: thank you for sharing so many details and the raw email! This is all really helpful

@calebAtIspot
Copy link

Hack Clubbers have determined that this is almost definitely a bug in Google Workspace where you can create a new Workspace with any g.co subdomain and get it to send some emails without verifying that you own the domain.

Is google aware of this bug?

@and-sanford
Copy link

I didn’t explicitly mention this in my earlier post:

in the raw email, important.g[.]co does not obscure a hyperlink to anywhere. It just takes you do that subdomain, which does not load. This means g[.]co is not part of this social engineering attempt, except for contributing to a more convincing pretext.

@SaphireLattice
Copy link

From what I understand, that whole part is user controllable (or in this case, attacker) display name.

And... maybe there's some kind of parsing in gmail that turns it into a hyperlink? Because I am not sure password reset emails actually have that link

So someone just created a workspace with that domain as a name, and did a password reset flow?

Like, any time someone "from google" or "from apple" tries to verify they are "legit" by doing a password reset... ehhhhhh, pull another one.

@ddolcimascolo
Copy link

Interesting read. Thanks for sharing

@philipwhiuk
Copy link

philipwhiuk commented Jan 24, 2025

You're supposed to actually call back on the number. That's the 'number verification'. Not just "they can read and fake the official support number". You actually call back on the number.
You have no idea who you are actually talking to when someone calls you.

@neontuna
Copy link

I spoke to "Solomon" a few weeks ago, definitely the same guy. I hate to say that the accent (or lack there-of) is what made me trust them initially.

@pvater
Copy link

pvater commented Jan 24, 2025

interesting. although how is g.co "compromised"? it doesn't seem to play any relevant part in the scam.

@hackerb9
Copy link

I spoke to "Solomon" a few weeks ago, definitely the same guy. I hate to say that the accent (or lack there-of) is what made me trust them initially.

It's an unconscious bias that a lot of us are going to have to admit or risk getting fooled in the future -- if we haven't already. I wonder how many people fell for it and still don't know that that wasn't Google who called them. I suspect Solomon and co. are not the type to make it obvious that you've been had.

So, @neontuna, any guesses why they targeted you? Are you an admin for a large corporation?

@n8cha
Copy link

n8cha commented Jan 24, 2025

@and-sanford Thanks for the detailed breakdown! I had a question about the Google Assistant abuse.

To confirm my understanding, are you suggesting that the phishers did the following?

  1. Made a fake Google Business Profile that uses Zach's phone number as the business's phone number.
  2. Used the Google Assistant as a "customer" would and asked it to call the fake business, which looked like a call from +1-650-203-0000 to Zach.

Customers who find your business using Google Search, Maps or Assistant can ask Assistant to call you on their behalf, for tasks like booking an appointment or checking the wait time for a table at a restaurant.

Now that I type this out, I'm guessing step #1 would've required some sort of phone number verification, though ...

@krekr
Copy link

krekr commented Jan 24, 2025

That's attacker-side view. You simply need to press the same number out of three in total on the phone.

Thanks. I've had an ADHD reading comprehension fail. I've somehow assumed that Zach is using a computer+phone screen. I see now it's just phone. And therefore it's the attacker generating the login + MFA request, Zach with the phone (where the MFA is received). Apologies + thanks.

I had the same but I actually feel it’s bad UX: it feeds the confidence in believing the attacker is legit because they see the same info as on your screen. Especially in a high-stress situation like this.

@gladiatx0r
Copy link

@neontuna
Copy link

I spoke to "Solomon" a few weeks ago, definitely the same guy. I hate to say that the accent (or lack there-of) is what made me trust them initially.

It's an unconscious bias that a lot of us are going to have to admit or risk getting fooled in the future -- if we haven't already. I wonder how many people fell for it and still don't know that that wasn't Google who called them. I suspect Solomon and co. are not the type to make it obvious that you've been had.

So, @neontuna, any guesses why they targeted you? Are you an admin for a large corporation?

I am the admin for a small workspace, but from what I remember they were trying to get into my personal account. Maybe just due to age? Account has been around for a while.

@femdiya
Copy link

femdiya commented Jan 25, 2025

This was really interesting.

@heyarviind
Copy link

They did a lot of research for a scam. People without technical knowledge will fall very easily for this.

@paulschreiber
Copy link

paulschreiber commented Jan 25, 2025

Get some Yubikeys and enable Advanced Protection. Don't use phisable MFA.

@schlangens
Copy link

Thanks for sharing! Great read.

@rubyFeedback
Copy link

heyarviind wrote:

People without technical knowledge will fall very easily for this.

I agree that this targets mostly non-tech savvy people, but even more tech-savvy people may fall victim.

After I wake up, my brain is not fully "active" yet and I tend to do stupid things, not paying attention or
paying less attention. So I tend to make more mistakes early; and also when I am very tired and sleepy,
so we should also keep in mind that smart people do silly mistakes. Some people accidentally put their
keys in github repositories too. To err is human, even for people who think they are very clever - even
if they are not the primary target group for phishers and scammers usually.

@Red-Plasma
Copy link

You should have asked them to send you an RCS text for verification.

The scammer can not own Google's authentic number ....... Stay safe and always ask a lot of questions... scammers hate questions.
RCS

And also... the 3 characters code is not strong.
Increase it to 8.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment