Фрагмент листування з шахраями / Zach Latta
Programmer and founder of the Hack Club community Zach Latta reported an attempt to hijack an account from using real data Google.
The fraudsters managed to call the victim from the Google phone number listed on the official support site and then send an email from the official subdomain. It is unclear how the attackers could have gained access to Google’s data.
The woman, who introduced herself as Chloe, called Latta from the number 650-203-0000 with a caller ID of «Google». How it says on the support page, Google Assistant uses this number to make automated calls, for example, to make reservations or check wait times at a restaurant.
«She spoke like a real engineer, the connection was extremely clear, and she had an American accent», — says the programmer.
The scammers, posing as Google Workspace support, warned that they had blocked Latta’s account because someone had logged in from Frankfurt. Her husband immediately suspected it was a fraud attempt. He asked for confirmation by email.
Surprisingly, the hackers replied «yes» and sent an email from the real g.co subdomain, which belongs to Google. The email, which was indistinguishable from the real thing, showed no signs of spoofing and passed DKIM, SPF, and DMARC (email authentication protocols that check email for spoofing and phishing attacks). According to Google, g.co is an official subdomain intended «only for Google» websites.
«You can be sure that it will always take you to a Google product or service», — the domain page says.
The scammers explained that the account was probably hacked through a Chrome extension. They prepared fake LinkedIn accounts as proof that they work for Google. «Chloe» tried to get the victim to provide one of the three numbers that appeared on his phone to reset his account and gain access to it.
«The crazy thing is that if I had followed two «best practices»: verify the phone number + make them send you an email from a legitimate domain, I would have been compromised», — Latta writes.
Zach Latta published all the evidence and recorded the conversation after he was convinced that it was a fraud. Google has not yet publicly commented on the case, the website Cybernews contacted the company for comment.
It is unclear how the fraudsters could have gained access to important Google features and subdomains. Commentators speculate that the attackers may have obtained some Google account data that partially gives them access to the features, but they still need to bypass multi-factor authentication to hijack accounts.