back to article Google takes action after coder reports 'most sophisticated attack I've ever seen'

Google says it's now hardening defenses against a sophisticated account takeover scam documented by a programmer last week. Zach Latta, founder of Hack Club, told of how close he was to succumbing to voice phishers who attempted to take over his Google account. He said: "Someone just tried the most sophisticated phishing …

  1. Pascal Monett Silver badge

    Interesting

    Some truly up-to-date scum, there. Worth paying attention to.

    As for passkeys, they're a brilliant idea until your device is stolen/broken.

    Then what do you do to recover you account ?

    A password is easy to replace. My biometric data, or the private key stored on the phone I just dropped into water, is not.

    1. ecarlseen

      Re: Interesting

      I agree - passkeys are about half a notch better than passwords, but are hardly the panacea they're promoted as.

      They can still be stolen by end-device compromise

      They're still vulnerable to every reset scam because 99% of end-users can't tell the difference.

      They still leave all of the session cookies and whatnot vulnerable.

    2. Charlie Clark Silver badge

      Re: Interesting

      And my Google Titan no longer wants to work with Firefox or Safari. Support… don't even bother. :-(

    3. mpi

      Re: Interesting

      Passkeys are not promoted because they are better than passwords.

      Passkys are promoted because they give the corporations that control peoples and companies digital existence even more control over said digital existence.

  2. find users who cut cat tail
    Coat

    Google

    Would not believe anyone trying to convince me Google actually has support…

  3. Omnipresent Silver badge

    I have also seen google scams

    i was getting hounded by google emails stating that my email account would be deactivated if I didn't log in.

    One problem, the email referenced my junk mail name @ g mail. There was no such google mail.

    1. Anonymous Coward
      Anonymous Coward

      Re: I have also seen google scams

      I get lots of these sent to email addresses associated with my Ionos (1&1) email account. Of course none of those addresses actually corresponds to a real login, they're all throwaway ones, so it's immediately obvious that the message is false.

  4. Missing Semicolon Silver badge

    Credit card security

    Nearly got had by a scammer pretending to be the credit card security team. They were able to provoke emails (by taking particular actions with the stolen details) so the scammer announced a mail was coming, then it arrived.

    Very close call - only saved by my one-email-per-merchant trick, as the email they had was not the CC company. But still very good.

  5. sitta_europea Silver badge

    I always say that if they think it's really so important they should write it down on paper, stick the paper in an envelope, and lick a postage stamp.

    It never fails.

  6. Missing Semicolon Silver badge
    FAIL

    Passkeys

    When will these muppets get it? Once the key store on your phone becomes the prize, the crims will just apply their considerable resources to either cracking it, or social-engineering a way round it. Once there is a single key that opens all of your locks, that key is now worth spending considerable effort to steal.

    1. Anonymous Coward
      Anonymous Coward

      Re: Passkeys

      Not just that does open all your locks, but will perpetually open all your locks until it's re-secured.

      If they target someone looking for a job, or who announces they joined the military, or students about to graduate university and get perpetual access to a key store they've got access to the information they have from their new job. The person may get trained to not fall for phishing scams, but it's already too late.

      The likes of 2FA would make this more difficult for them to pull off, but I can't imagine it's impossible to compromise that.

      1. Jadith

        Re: Passkeys

        Indeed 2FA can be compromised. Take a guess how?

        That's right, social engineering. I think it was an Uber employee some scammer just hounded until they approved by MFA.

        I have also heard of using MitM type attacks used to srcape the one time token from the MFA and pass it on. This is mostly for bot style attacks and is mitigatable. Microsoft, of all companies, has started putting the number on the computer, that way you really do need both devices to authenticate.

        1. Anonymous Coward
          Anonymous Coward

          Re: Passkeys

          Every single phishing email that has been reported to our helpdesk in the last year is able to intercept Microsoft's Authenticator app MFA, no matter the configuration.

          There are 2 options for phishing protection with o365:

          1. Make passkeys mandatory. Not possible if you have users on apple devices, because Microsoft applications on Mac/iOS use the wrong type of webview for the authentication popup so do not support passkeys.

          2. Require all devices to be enrolled in to Azure and restrict logins to enrolled devices. This means either a company owned device or for BYOD you install the company portal app and give it control of your device, which only 1 organisation can do. Oh and you need to buy a more expensive license for every user to use this "feature".

          One of our clients has a lot of contractors. The only thing you can do is tell them to look at the address bar before entering their MFA code, how well do you think that works?

          We have a technique for reducing risk. Geo-restrictions. It only works because the phishers haven't bothered working around it. If anyone wants to travel they must contact the helpdesk so we can whitelist the destination country.

          When we rolled this out to our biggest client it lasted about a week before we were told to remove it. A short while later the person in charge got a phone call from the finance director asking about this hush hush don't tell anyone just transfer the money request they had just sent them... When we told them it was sent by someone who had been logged in to their account for about 2 weeks, the geo-restrictions got reinstated.

  7. Mike 137 Silver badge

    How dumb can you be as a service provider?

    "G.co is a genuine Google subdomain and anyone can create a new Workspace using a g.co subdomain without having to verify that they own it."

    How utterly, crassly insecure!

    "We have not seen evidence that this is a wide-scale tactic, but we are hardening our defenses against abusers leveraging g.co references at sign-up to further protect users."

    I should bloody well hope so -- it should never have been possible in the first place.

    This (as usual) hardly qualifies as a 'sophisticated' attack -- someone just spotted and made use of a wide open door with a fluorescent welcome mat bearing the legend "burgle me please".

  8. Anonymous Coward
    Anonymous Coward

    Scammers with American accents

    Scammers employing people in the USA to act as part of the scam is nothing new. Especially if it is a potentially high earning scam.

    I once pulled apart the trail of a scam attempted at one of my clients. As they were on M365 I could wade through a trail of where the scammer had logged in with the compromised account. Was interesting to see the majority in Nigeria, but various email logins from USA and Canada. That one I put down to the scammer outsourcing email writing to native English speakers to avoid the classic typos.

    As a scammer if you can pull of a multi-thousand pound scam it is worth the time and investment in quality staff.

    1. OhForF' Silver badge
      Joke

      Re: Scammers with American accents

      >The scammer used the name Chloe and spoke with a native American accent<

      I was impressed that Zach Latta was able to understand the navajo code talker.

      1. parlei

        Re: Scammers with American accents

        Duolingo had Navajo...

        (No, I don't think it goes all the way to fluency)

  9. Doctor Syntax Silver badge

    "modern solutions to phishing such as passkeys,"

    Following the link to the previous article on passkeys I find "The website uses the stored public key to authenticate the user."

    With scams the problem isn't the website authenticating the user, it's the user authenticating the website, emailer, caller or whatever. As another commentard said above, a one- email address per merchant helps with that. Not a complete solution but it's the starting point.

    It would help greatly if is were made a criminal offence for companies to email links to login pages to customers. Any company that takes the security of its customers seriously would do that and emphasis to them that any email purporting to do so is a scam. I suppose the practical limitation to doing that voluntarily will be getting the message through to marketing. Once it's a criminal offence marketing can be told that the individual offender will carry the can.

    1. Mike007 Silver badge

      Every month my bank sends me an email that says my statement is available, with the instructions to access it being to click a link...

      Then the footer of the email has some generic nonsense some lawyer said to put there, that none of the staff have ever read because it isn't relevant to anything, with some claim about how they will never ask a customer to click a link in an email.

      However it isn't as bad as is used to be. It used to be "click here to view your statement", now it is at least "open our banking app to view your statement, or you can click here"

  10. DS999 Silver badge

    Don't believe it if you are called

    Or emailed. I don't care what the subject is, if I'm called about anything that I feel the need to act on in any way I'm going to ask for a case number and say I will be contacting them. Ideally through a web interface (I hate waiting on hold) or better yet their app if they have / I use one. OK if it is something simple like "your password has been compromised" I can reset that myself via the web/app without needing to talk to them, but other than something super simple like that I'm going to want to contact them from my end and use this case number. If they won't give me that's a huge red flag. They might able to spoof caller ID and email domains, but unless they've p0wned the company's entire system they can't create their own case number inside the company's system.

    I'm surprised someone who is technically competent was almost fooled. Why would he believe Google is calling him WITH A LIVE CALLER about a possible account compromise? Do they do that in real life? If they call at all I'm willing to bet my house that it is an automated recording, probably without any way to interrupt the call and be sent to a live agent. How big of a call center would Google need if they were calling people individually every time they see a login from an unexpected location?

    1. Phil Koenig Bronze badge

      Re: Don't believe it if you are called

      Why would he believe Google is calling him WITH A LIVE CALLER about a possible account compromise? Do they do that in real life?

      Excellent point.

      Google in particular is so completely averse to using human representatives for ANYTHING that you are forced to deal with endless web forms, chatbots, email robots and so on to get a resolution on almost ANY service they provide!

      Google hiring actual humans to make outgoing VOICE calls to people?? That's hilarious!

      1. Androgynous Cupboard Silver badge

        Re: Don't believe it if you are called

        Clearly someone that doesn't pay for Google Advertising. They're always pestering to call for an "account review", presumably to help us revise our spend upwards.

      2. Anonymous Coward
        Anonymous Coward

        Re: Don't believe it if you are called

        Indeed - I was amused at this in the article

        "As a reminder, Google will not call users to reset their passwords or troubleshoot account issues, so feel free to treat any incoming calls as the garbage they are."

        Anyone who has had major issues with Google will know that it is virtually impossible to speak to a person, so especially an "out of the blue" call would set the alarm klaxons ringing..

        At a place I worked for* we had major issues with some Google services, Only way I was able to speak to a technically competent Google employee was via help of a friend (who worked at Google and was able to chase up that team on my behalf, sadly that friend now deceased), though I'm not in a role that's heavily invested with Google services these days, so not had need to try and actually speak to a Googler for a long time

        * hence anon

    2. Doctor Syntax Silver badge

      Re: Don't believe it if you are called

      " Why would he believe Google is calling him WITH A LIVE CALLER about a possible account compromise? Do they do that in real life?"

      I'm told Microsoft do it frequently. Unfortunately I've never received such a call. BT did call once, very interesting seeing as I have BT on my CV...

  11. Anonymous Coward
    Anonymous Coward

    “The scammers called Latta”

    Massive red flag right there.

    END

    1. John Robson Silver badge

      Re: “The scammers called Latta”

      Possible exception:

      If I get a call from my bank which says "We need to talk with you about X, please drop into a branch or call us back using the number on the back of your debit card".

      At that point I'll probably call them back... But it will be a call back, not a continuation of the incoming call. And note that they've not given my a phone number, just said where I can find one.

      1. Doctor Syntax Silver badge

        Re: “The scammers called Latta”

        "drop into a branch"

        That's a reason for suspicion. If a branch can be found the staff are seriously disempowered.

      2. Mike007 Silver badge

        Re: “The scammers called Latta”

        I have had calls from companies where the person calling genuinely seemed confused about the fact that I wasn't willing to give them the answers to the "secret questions" to hijack my account so that they could tell me what they were calling about. And when I called back using the phone number on their website, they turned out to be genuine calls.

        One company confirmed that "we did try to call you, but apparently you refused to cooperate"... That is how they documented it on their system. And the person who answered when I called back thought my behaviour was bad enough to actually phrase it that way in a "naughty you" tone of voice.

        1. John Robson Silver badge

          Re: “The scammers called Latta”

          They should add a note to your file that if you *do* start providing answers then they've got the wrong person.

  12. FrogsAndChips Silver badge

    Can someone explain

    How the scammers had access to the reset code that appeared on the victim's screen? Either it was coming from Google and they shouldn't see it, or it was a bogus notification sent by the scammers but then how would it enable them to take control of the account?

  13. Anonymous Coward
    Anonymous Coward

    Another security issue with Google

    AMP third party pages (Google News) are served from google.com, so I disabled JS for google.com for security. But recently Google Search would not work without JS.

  14. Joe Gurman

    One takeaway from this….

    ….is simply to have nothing to do with Google. I abjured that particular demon and all its minions some years back, and will not do business with any person or outfit that hides behind them.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like