- A new phishing scam has targeted a Google programmer
- The attack was disturbing, and tightened Google in response to Google in response
- You don’t know how to spot a phishing scam? Follow our advice
A new ultra-realistic phishing scam reported by a Google programmer could make many of us a little uncomfortable.
Zach Latta, warned in a recent blog article: “Someone has just tried the most sophisticated phishing attack I have ever seen. I almost fell in love. My mind is a little blown.
Starting with a telephone call from the caller ID “Google”, this phishing attempt was sufficient to convince a Google programmer to be at a button, press the disaster – here is what we know until here.
A convincing story
On the other side of the Latta phone call, which is a real number associated with Google assistant calls, was a “Google engineer” called Chloé.
The connection was `Super Claire ”, Latta noting that the crook had an American accent and claimed to be Google Workspace – asking if he had recently tried to connect to his account since Frankfurt, Germany.
From there, the programmer asked if “Chloé” could confirm this by sending an email from an official Google email. Concern, the crook forced and sent an incredibly official email to Latta with a case number.
Not only was the email sent, but it was sent from the address “Workspace-noreply @ Google.com”, and linked to its “password for important.g.co” which, according to The attacker was an internal Google subnet. This is important, because even our own technological phishing advice identifies it as a serious indication of risk.
But G.CO is an official Google URL – which is confirmed by Google and even has its own Wikipedia page. Latta, as a technology worker, knew how to check the phone number, so Google the number – and was encouraged to do so by the crook, who advised him to quote his case number if he called. The number is listed on the Google.com pages, which was enough to appease Latta enough.
The crook encouraged Latta to carry out a “reset of the sessions”, on his device, which sounded the alarm ringtards for the programmer. The first stumbling block of the scam came when Lattta checked his Google workspace newspapers himself, and of course, found no suspicious activity.
Once pressed, the scam has started to decline – the attacker transferring to a manager who also encouraged Latta to disconnect from all devices and reset his password. Surprisingly, the crook was able to provide the Authentic MFA code sent to Latta, who, if he had entered, would have given attackers access to the Latta account.
Fortunately, Latta was able to spot the red flags and at this stage, he was already suspicious enough to avoid putting his account – but the crook got closer, admitted Latta.
“Literally, press a button while completely Pwned. And I’m quite technical!
This particular attack brought Google in response.
“We suspended the account behind this scam, which abused an unaccompanied workspace account to send these misleading emails,” said a google spokesperson Techradarpro.
“We have not seen any evidence that this is a tactic on a large scale, but we will last our defenses against the attackers by taking advantage of the G.co references to register to protect users more.”
Google has also reiterated: “Google will not call you to reset your password or solve account problems.”
The news follows a tendency of cybercriminals deployment of more intelligent and more frequent attacks, partly activated by the advent of AI. This particular scam even bypassed the MFA and used a legitimate Google domain, so even the most informed of technology among us should be on the lookout.
Exhaust of phishing attacks
What is concerning this particular scam is that it has found bypass solutions for some of the classic signs revealing a scam. As Latta said,
“What is crazy is that if I followed the 2” best practices “to check the phone number + to have them sent an email from a legitimate area, I would have been compromised.”
The verification of the legitimacy of the email and the telephone number is roughly the first recommendation for all unexpected communications – and it is always good advice, but it will clearly filter only levels lower than This stadium. If you don’t know what exactly a phishing attack is, we have set up an explanator.
That said, remaining suspicious of all unknown communications, especially those that urge action, is really the best defense against phishing attacks.
In the poorest possible way, it is unlikely that you are important enough for Google to be sufficiently worried to call you about your personal messaging account – so beware of anyone who contacts you anywhere.
A Google spokesman said Therefore“As a reminder, Google will not call users to reset their passwords or solve account problems, so do not hesitate to deal with incoming calls like the garbage they are.”
Look for all obvious markers, such as bad spelling or grammar – and be aware of which organizations already know your name – it is unlikely that your bank starts an email with “ dear customer ”.
At the same time, avoid clicking on e-mail links of the people you do not know and also do not open the QR codes. If you want more details, take a look at our complete phishing defense and how to stop it.
Another defense layer against scams, uses the best protection against identity theft, which can help if you accidentally click on the bad thing.
