News: 1737997275

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Google takes action after coder reports 'most sophisticated attack I've ever seen'

(2025/01/27)


Google says it's now hardening defenses against a sophisticated account takeover scam documented by a programmer last week.

Zach Latta, founder of Hack Club, told of how close he was to succumbing to voice phishers who attempted to take over his Google account.

He said: "Someone just tried the most sophisticated phishing attack I've ever seen. I almost fell for it. My mind is a little blown."

[1]

The scammers called Latta, who's based in Vermont, USA, claiming the Google Workspace team spotted an unusual login attempt from Frankfurt and that he needed to reset his account password.

[2]

[3]

The call came from 650-203-0000 (a genuine number associated with automated Google Assistant calls) and a "Google" caller ID. The scammer used the name Chloe and spoke with a native American accent over a crystal clear-sounding line. Aside from Google making the call initially, all seemed well at first.

Latta remained suspicious though and asked for a genuine email sent from a Google domain to confirm the authenticity of the call. That email came from an unspoofed [4]workspace-noreply@google.com address and even after asking if he could call the number back, Chloe seemed unfazed and said "sure," although that was enough to prevent Latta from actually doing so.

[5]

The scam started unraveling after Chloe's manager, "Solomon," another American accented individual, took over the call and gave information that conflicted with that given by his colleague. One saving grace was that he was able to provide the genuine [6]2FA number-matching code that appeared on Latta's device.

To a non-techie, that would likely be enough to convince a victim that it was a genuine Google staffer on the line, but Solomon's encouragement to press the right number was the final red flag before fully determining this was a scam.

"The thing that's crazy is that if I followed the two 'best practices' of verifying the phone number and getting them to send an email to you from a legit domain, I would have been compromised," Latta [7]wrote .

[8]

"I understand how they were able to spoof the 'Google' phone call through Google Assistant, but I have no idea how they got access to important.g.co [since] g.co is a legitimate Google URL.

"[I was] literally one button press from being completely pwned. And I'm pretty technical!"

The use of g.co is crucial here. The scammer creates a Google Workspace using a g.co subdomain. G.co is a genuine Google subdomain and anyone can create a new Workspace using a g.co subdomain without having to verify that they own it.

The scammers then create an account for the victim using the Workspace and send a password reset email which comes from Google itself as is normal for a Workspace account.

A Google spokesperson told The Register : "We've suspended the account behind this scam, which abused an unverified Workspace account to send these misleading emails.

"We have not seen evidence that this is a wide-scale tactic, but we are hardening our defenses against abusers leveraging g.co references at sign-up to further protect users."

As a reminder, Google will not call users to reset their passwords or troubleshoot account issues, so feel free to treat any incoming calls as the garbage they are.

A broader issue

Some of the details of Latta's case align with similar tales of woe, like one told by venerable infosec journalist Brian Krebs in December about a Google account takeover that led to a [9]half-million-dollar crypto raid .

[10]CDNs: Great for speeding up the internet, bad for location privacy

[11]Microsoft won't let customers opt out of passkey push

[12]Will passkeys ever replace passwords? Can they?

[13]Microsoft disarms push notification bombers with number matching in Authenticator

Someone purportedly from Google support called Adam Griffin from the same 650-203-0000 number but this time it was Google Forms that was abused rather than the g.co domain.

The Google Forms trick is a few years old now, but it's still a convincing tool that will flummox many victims. It abuses a feature of Forms that allows attackers to send fake emails such as account compromise warnings from Google, but from a genuine Google domain that's more likely to not get picked up as spam.

On the other end of the phone was an American-accented individual, just like in Latta's case, who was able to guide Griffin through the account recovery process. They knew when certain popups would appear in the Gmail app, for example, also like in Latta's case with the number matching.

Of course, both were initiated by the scammers themselves, but again – these would likely be enough to convince the non-technical crowd of the call's "authenticity."

Similar scams are also hitting Apple users now too, as Krebs [14]noted earlier this month, and the recent cases serve as constant reminders of how important it is to educate the masses about scammers' tradecraft.

They're also great adverts for more modern solutions to phishing such as [15]passkeys , the popularity of which has ballooned in the last year with the likes of Microsoft warning all users will [16]eventually be forced into using them . Likewise, Google is a [17]huge proponent of them too. ®

Get our [18]Tech Resources



[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z5gQDf9jyF4FcyWCI7W09AAAAEU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z5gQDf9jyF4FcyWCI7W09AAAAEU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z5gQDf9jyF4FcyWCI7W09AAAAEU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[4] mailto:workspace-noreply@google.com

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z5gQDf9jyF4FcyWCI7W09AAAAEU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://www.theregister.com/2023/05/09/microsoft_authenticator_number_matching/

[7] https://gist.github.com/zachlatta/f86317493654b550c689dc6509973aa4

[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z5gQDf9jyF4FcyWCI7W09AAAAEU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[9] https://krebsonsecurity.com/2024/12/how-to-lose-a-fortune-with-just-one-bad-click/

[10] https://www.theregister.com/2025/01/27/cloudflare_cdn_location_data/

[11] https://www.theregister.com/2024/12/18/microsoft_passkey_push/

[12] https://www.theregister.com/2024/11/17/passkeys_passwords/

[13] https://www.theregister.com/2023/05/09/microsoft_authenticator_number_matching/

[14] https://krebsonsecurity.com/2025/01/a-day-in-the-life-of-a-prolific-voice-phishing-crew/

[15] https://www.theregister.com/2024/11/17/passkeys_passwords/

[16] https://www.theregister.com/2024/12/18/microsoft_passkey_push/

[17] https://www.theregister.com/2024/05/02/microsoft_google_passkeys/

[18] https://whitepapers.theregister.com/



Interesting

Pascal Monett

Some truly up-to-date scum, there. Worth paying attention to.

As for passkeys, they're a brilliant idea until your device is stolen/broken.

Then what do you do to recover you account ?

A password is easy to replace. My biometric data, or the private key stored on the phone I just dropped into water, is not.

Re: Interesting

ecarlseen

I agree - passkeys are about half a notch better than passwords, but are hardly the panacea they're promoted as.

They can still be stolen by end-device compromise

They're still vulnerable to every reset scam because 99% of end-users can't tell the difference.

They still leave all of the session cookies and whatnot vulnerable.

Re: Interesting

Charlie Clark

And my Google Titan no longer wants to work with Firefox or Safari. Support… don't even bother. :-(

Google

find users who cut cat tail

Would not believe anyone trying to convince me Google actually has support…

I have also seen google scams

Omnipresent

i was getting hounded by google emails stating that my email account would be deactivated if I didn't log in.

One problem, the email referenced my junk mail name @ g mail. There was no such google mail.

Re: I have also seen google scams

Anonymous Coward

I get lots of these sent to email addresses associated with my Ionos (1&1) email account. Of course none of those addresses actually corresponds to a real login, they're all throwaway ones, so it's immediately obvious that the message is false.

Credit card security

Missing Semicolon

Nearly got had by a scammer pretending to be the credit card security team. They were able to provoke emails (by taking particular actions with the stolen details) so the scammer announced a mail was coming, then it arrived.

Very close call - only saved by my one-email-per-merchant trick, as the email they had was not the CC company. But still very good.

sitta_europea

I always say that if they think it's really so important they should write it down on paper, stick the paper in an envelope, and lick a postage stamp.

It never fails.

Passkeys

Missing Semicolon

When will these muppets get it? Once the key store on your phone becomes the prize, the crims will just apply their considerable resources to either cracking it, or social-engineering a way round it. Once there is a single key that opens all of your locks, that key is now worth spending considerable effort to steal.

Re: Passkeys

Anonymous Coward

Not just that does open all your locks, but will perpetually open all your locks until it's re-secured.

If they target someone looking for a job, or who announces they joined the military, or students about to graduate university and get perpetual access to a key store they've got access to the information they have from their new job. The person may get trained to not fall for phishing scams, but it's already too late.

The likes of 2FA would make this more difficult for them to pull off, but I can't imagine it's impossible to compromise that.

Re: Passkeys

Jadith

Indeed 2FA can be compromised. Take a guess how?

That's right, social engineering. I think it was an Uber employee some scammer just hounded until they approved by MFA.

I have also heard of using MitM type attacks used to srcape the one time token from the MFA and pass it on. This is mostly for bot style attacks and is mitigatable. Microsoft, of all companies, has started putting the number on the computer, that way you really do need both devices to authenticate.

How dumb can you be as a service provider?

Mike 137

" G.co is a genuine Google subdomain and anyone can create a new Workspace using a g.co subdomain without having to verify that they own it. "

How utterly, crassly insecure!

"We have not seen evidence that this is a wide-scale tactic, but we are hardening our defenses against abusers leveraging g.co references at sign-up to further protect users."

I should bloody well hope so -- it should never have been possible in the first place.

This (as usual) hardly qualifies as a 'sophisticated' attack -- someone just spotted and made use of a wide open door with a fluorescent welcome mat bearing the legend "burgle me please".

Scammers with American accents

Anonymous Coward

Scammers employing people in the USA to act as part of the scam is nothing new. Especially if it is a potentially high earning scam.

I once pulled apart the trail of a scam attempted at one of my clients. As they were on M365 I could wade through a trail of where the scammer had logged in with the compromised account. Was interesting to see the majority in Nigeria, but various email logins from USA and Canada. That one I put down to the scammer outsourcing email writing to native English speakers to avoid the classic typos.

As a scammer if you can pull of a multi-thousand pound scam it is worth the time and investment in quality staff.

Re: Scammers with American accents

OhForF'

>The scammer used the name Chloe and spoke with a native American accent<

I was impressed that Zach Latta was able to understand the navajo code talker.

Doctor Syntax

"modern solutions to phishing such as passkeys,"

Following the link to the previous article on passkeys I find "The website uses the stored public key to authenticate the user."

With scams the problem isn't the website authenticating the user, it's the user authenticating the website, emailer, caller or whatever. As another commentard said above, a one- email address per merchant helps with that. Not a complete solution but it's the starting point.

It would help greatly if is were made a criminal offence for companies to email links to login pages to customers. Any company that takes the security of its customers seriously would do that and emphasis to them that any email purporting to do so is a scam. I suppose the practical limitation to doing that voluntarily will be getting the message through to marketing. Once it's a criminal offence marketing can be told that the individual offender will carry the can.

Don't believe it if you are called

DS999

Or emailed. I don't care what the subject is, if I'm called about anything that I feel the need to act on in any way I'm going to ask for a case number and say I will be contacting them. Ideally through a web interface (I hate waiting on hold) or better yet their app if they have / I use one. OK if it is something simple like "your password has been compromised" I can reset that myself via the web/app without needing to talk to them, but other than something super simple like that I'm going to want to contact them from my end and use this case number. If they won't give me that's a huge red flag. They might able to spoof caller ID and email domains, but unless they've p0wned the company's entire system they can't create their own case number inside the company's system.

I'm surprised someone who is technically competent was almost fooled. Why would he believe Google is calling him WITH A LIVE CALLER about a possible account compromise? Do they do that in real life? If they call at all I'm willing to bet my house that it is an automated recording, probably without any way to interrupt the call and be sent to a live agent. How big of a call center would Google need if they were calling people individually every time they see a login from an unexpected location?

RHAPSODY in Glue!