The biggest scare I've gotten is somehow ending up on "colnbase.com" (instead of "coinbase.com").
It's defunct now, but at the time it was a 1:1 replica of Coinbase. And the only reason I noticed was because 1Password didn't offer to fill in my credentials.
While knowing someone's email/password combo might not be enough for an attacker to do anything malicious on Coinbase itself (due to email re-verification maybe), the point is that even the smartest of us Hacker News users can fall for it. And that should scare the rest of us.
So so true. 1Password refusing to auto fill a password has saved me multiple times in the past! Also, one of my friends has a PhD in literally rocket science (aeronautical engineering from MIT) and got scammed by someone who stole his brother's SIM card and did some shenanigans. No one is safe, no matter how smart or tech savvy you think you are! For the less tech savvy folks, I understand why they are scared, it's hard to give them even general tips to not lose the farm to fraudsters.
I nearly lost an account because I assumed that 1Password was just being dumb not offering to auto-fill credentials. Turns out I'm the dumb one for doubting it.
Now if 1Password shows nothing to auto-fill I make damn sure I'm on the right site.
> the only reason I noticed was because 1Password didn't offer to fill in my credentials.
Nice, I always hope this will save me but I never landed on such a phishing site. How did it happen for you?
About domain-based autofills, perhaps less so now than 5-10 years ago: it always seemed weird that the whole security industry seemed to say these plugins, or the browser's built-in password store, are dangerous because there were past vulnerabilities and any website you visit can exploit it. The way I see it: vulns get fixed, I just need to not be in the 1st wave of persons they target (risk type: plane crash, very small odds but sucks to be you); receiving phishing emails or messages happens constantly and apparently it works well enough to continue doing it and evading filters constantly (risk type: car crash, can happen and they get only the creds for the website being autofilled). Would recommend to anyone who then realises something is up when the autofill doesn't work, but ideally would have more evidence to back that up
One of the worst parts of using a oassword manager is that apps and websites don’t by default share their credentials. I could totally see me getting caught by a shady link to a website of an app that I use but because I’ve never logged into the website, 1Password makes me search for it.
My friend was not smart as you, and religiously typed password on a fake Amazon website link clicked from an SMS promising a refund on recent purchase. Stopped only when it asked for 2FA code because there was no 2FA setup.
> The biggest scare I've gotten is somehow ending up on "colnbase.com" (instead of "coinbase.com").
You might want to install some browser extensions to block content. Then block all content (set to whitelist) and selectively add the sites you know.
If you end up on a new site with some amalgamation of letters that look familiar, the extension will rightfully block it and prompt you whether you want to whitelist or not. Big ole' red flag right there.
Of course it's not foolproof. It is just another layer in the strategy of defense-in-depth.
As usual this started with an incoming phone call. If you ever receive a phone call from a tech company, it's a scam. The caller ID doesn't matter. The caller's accent (wtf) doesn't matter either. It's a scam.
This is the same type of phishing attack described here[1]. It’s still surprising to me how the SPF, DKIM, and DMARC all pass. If I remember correctly, it’s because they actually have a clever way od getting Google to send an email to you by sharing a Google Form with you or something like that.
> Hack Clubbers have determined that this is almost definitely a bug in Google Workspace where you can create a new Workspace with any g.co subdomain and get it to send some emails without verifying that you own the domain.
Seems like this is the flow:
1. Create a Google Workspace with a g.co subdomain. Apparently this is not verified, or verifying the domain is not necessary for the next steps.
2. Create an account for the victim under this Google Workspace.
3. Reset that account's password.
The victim gets an email from Google Workspace informing them that their password was reset. And this email is a real, legitimate (not spoofed) email from Google because it's just a result of the normal password reset process for a Google Workspace account.
What's even more interesting is there is no DNS records for important.g.co, which means they have found a way to create an Google Workspace without verifying the domain but still able to send emails like password resets.
It's definitely a glitch where you can send emails/transactional emails from an unverified Google Workspace. My guess is that their are protections for google.com and google domains but they forgot to add the g.co domain, which allows unverified sending to g.co and creation of workspaces.
I'm not sure if it's good thing or not but I've come to consider that any notification about a password being reset or a fraudulent charge is phishing unless I initiate some action.
I always verify that I'm actually fucked and then take action. This seems counter-intuitive but the deluge of phishing emails makes me feel this is the safest option. I'd rather wait to notice a fraudulent charge and dispute it, than leak info to a random SMS number that claims (possibly truthfully) that someone in Japan spent $9000 at the gucci store.
Agreed. I do not follow any links, accept calls, etc. I go to the site of origin and do what I need. Also be careful if you search for the sites name on Google, still might click a fraud site!
That's not verifying the phone number. I received a call from Chase about a wire. I asked them for a code so I could continue the conversation and then looked up the phone number on their website and called that and talked through reps till I got to the right department.
Caller ID being spoofed is the wrong way to think about this. It's just that if someone walks up to you and says "Hey, I'm Jean d'Eau and I'm President of the US" you don't think to yourself "oh yeah he's definitely President and that's his name".
People can always tell you they're whoever they want to be. You can either believe it or go find out if they are.
I know it's easy to second-guess someone after they've explained that they're describing a scam, but:
> The thing that's crazy is that if I followed the 2 "best practices" of verifying the phone number + getting them to send an email to you from a legit domain, I would have been compromised.
He didn't follow the first of those best practices. He just looked up a phone number that the caller also read out to him, and didn't call it. And "Solomon" also explicitly told him he couldn't call.
I honestly think that at this point, no incoming phone call can ever be trusted.
I don't even know where the idea that those are the best practices came from.
The phone number best practice has always been constructed as "call them back at a known good number, preferably one written on paper or on your card". You certainly don't ask them to show you where on the company website the phone number is listed.
And asking the person on the phone with you to send you an email from a specific domain is likewise not something I've ever seen recommended: that's one of several things you check to see if an email is phishing (And only one of several! A good domain isn't enough to clear an email!) But if you're already on the phone with someone suspicious, the best practice has always been to get off the phone with them immediately and call a known number, not to ask the caller to prove themselves.
None of this is to blame OP for misunderstanding, it's just very clear that we need to do better at communicating these rules out to the world.
They can't. And they haven't been for a while. Spoofing phone calls is simply too easy, and nothing is being done to fix that, despite the fact that it puts so many of us at risk. It's not an insurmountable problem, technologically. It is literally a lack of will and outcry from ordinary people, despite how often this fact is used to abuse so many.
Credit Card companies have known this for a long time. My credit card company will call and say "do not call back to this number, call the number on the back of your card and use this reference number".
I'd argue the second one was not followed either. Maybe I'm misunderstanding the article, but I would not take a random "your password has changed" as proof. I would need the caller to send me an actual email from their personal work email address (or ticket system?) with some actual, human communications in it.
> I asked if I could call back a phone number listed on Google.com and she said sure - this number is listed on google.com and you can call back with your case number, but there may be a wait on hold and I might get a different agent. I googled it and sure enough, it was listed on google.com pages. I didn't call back though.
This is where a big mistake is. Always, ALWAYS phone or contact back using the company’s official channels. Because if they have sufficient info about you, scammers can make a call sound hella legitimate, but one thing they still cannot do is pick up the company’s phone for them when you phone in. Especially if you call from a hardline, which requires compromising the phone company’s switching equipment.
Even my father, nearly 86 with a 5th grade education and slowly sliding into dementia, knows better than to uncritically accept being directly contacted. He’s already short-circuited several scams (of various types) in the last few years by hanging up and phoning back in himself.
This used to not be safe though, in the age of landlines.
I forget the details, but most of the country was wired in a manner that both parties of a call had to hang up to end the connection.
You might hang up, go find the official phone number, but when you pick the phone off the cradle you would still be in the previous call. They could fake the dial tone and you would be none the wiser.
I remember pranking friends with this back when I was young. Harmless stuff.
> This is where a big mistake is. Always, ALWAYS phone or contact back using the company’s official channels.
The problem, and the reason why that scam approach works half the time, is that calling back is a huge PITA these days between 1) endless routing menus or some "smart" AI bot that is f*ing useless (seriously, I have never been helped to my satisfaction by one of those), 2) long long long hold times to get to a human, if you ever do, because every single company is always "expecting greater than usual call volumes" -- wtf? call volume distributions are Gaussian, ok? so adjust accordingly.
What I'm most curious about is how they were able to spoof the email being sent from `[email protected]`. Given the odd phrasing of 'password for important.g.co', perhaps this is some strategy involving creating a 'parallel' account with the same email and making use of it to send an official-looking email as part of the scam?
There was something in Google workspace that allowed the scanners to have an email sent to them, AND an additional and of their choice. But when I asked about calling them back, I was told that wasn't possible, which made me suspicious.
It would be better if Google would react more strongly to such attacks.
-> There is a sophisticated one where you can take over an account via the Account Recovery flow, that is still actively abused; tried to report, got "not a bug, triaging as abuse risk"
Anyone that get’s a telephone call from “Google” should be immediately suspicious. I used to work for a company that paid GCP about as much as my annual salary _every_ month, and we still struggled to get GCP on the phone when we needed assistance.
what's wild is when Google Play Music came to Canada where you could upload your music to the cloud, I was able to get phone support for a bug it had with Linux, and they were very helpful
Totally unrelated, beyond being another Google service, but what's with Google's AppSheet being used for so many phishing emails? How does Google not predict this abuse and prevent it?
Now to be fair they all end up in the spam folder, but these are emails sent from [email protected] (SPF passing and originating from a Google IP), albeit with a phishing FROM name like "Meta for Business". I have hundreds of these in my spam folder, telling me that my Meta campaigns (I don't have any Meta campaigns and don't interact with that business at all) have been suspended, etc, clearly hoping to takeover someone's Meta business account.
Like when Google's Calendar invites were massively used for spam, I just don't understand how that company rolls out services and doesn't foresee the malusage.
Extremely scary. This is way above and beyond most phishing attacks. Obviously, this guy is being targeted for some reason or another. I worry about such attacks being automated at scale with AI tools.
This has saved me numerous times from scams². Because scammers would email me on the wrong address. Either they'd mail me on an adress listed on my website, when the actual company would've mailed on the unique address I gave them (more targeted phishing). Or they'll mail me on an address that I know to be leaked (these are redirected to spam in filters).
I am convinced there's an actual solution to a lot of scamming here, if the UX and UI are carefully designed. To be used by "muggles", not just the crowd that knows things like filters and catch-alls and plus-appended etc. It's a pity Google, Microsoft or even proton aren't actively promoting such a "unique mail for every service". But I guess there's little in it for them.
¹ used to self host, but now that's near impossible with the monopolies on mailserves at big tech and moved to mailbox.org. big shoutout!
² aside from the other great benefit. I'm often one of the first to know some service or site was compromised by receiving scam, spam etc. A few times I was even the one to report a breach to such an org via this.
To all the people criticizing OP, 5 million people are victims of phishing attacks every year. This attack is more sophisticated than 99.99% of them. Cut OP some slack.
> I asked if I could call back a phone number listed on Google.com and she said sure - this number is listed on google.com and you can call back with your case number, but there may be a wait on hold and I might get a different agent. I googled it and sure enough, it was listed on google.com pages. I didn't call back though.
Emphasis mine.
Also, if a human called me and claimed to be working for Google, I would laugh heartily and hang up the phone. Google doesn’t even have call in tech support, why would they call you for something as banal as a compromised account?
I agree. Easy to Monday morning quarterback opsec but we're human and the best fall for stuff all the time.
A non tech person wouldn't know Google has bad support and is unlikely to call you, that a number and email can be spoofed, etc. And even if 99% didn't fall for it, just 100 calls gets the scammer a victim on average.
It's specifically a password reset email. A Google Workspace admin can send a password reset to any of their users, and it will pass DKIM and SPF. The trick here is that apparently you can sign up for Workspace with a g.co subdomain and, without verifying the domain, can trigger a password reset to be sent.
> Someone named "Chloe" called me from 650-203-0000
Nope. Rule #1 in today's environment is never pick up the phone. If you're not expecting the call they can leave a message. And if it's something you think is legitimate, get the authentic number from a reputable source.
[+] [-] hombre_fatal|1 year ago|reply
It's defunct now, but at the time it was a 1:1 replica of Coinbase. And the only reason I noticed was because 1Password didn't offer to fill in my credentials.
While knowing someone's email/password combo might not be enough for an attacker to do anything malicious on Coinbase itself (due to email re-verification maybe), the point is that even the smartest of us Hacker News users can fall for it. And that should scare the rest of us.
[+] [-] gleenn|1 year ago|reply
[+] [-] ziml77|1 year ago|reply
Now if 1Password shows nothing to auto-fill I make damn sure I'm on the right site.
[+] [-] Aachen|1 year ago|reply
Nice, I always hope this will save me but I never landed on such a phishing site. How did it happen for you?
About domain-based autofills, perhaps less so now than 5-10 years ago: it always seemed weird that the whole security industry seemed to say these plugins, or the browser's built-in password store, are dangerous because there were past vulnerabilities and any website you visit can exploit it. The way I see it: vulns get fixed, I just need to not be in the 1st wave of persons they target (risk type: plane crash, very small odds but sucks to be you); receiving phishing emails or messages happens constantly and apparently it works well enough to continue doing it and evading filters constantly (risk type: car crash, can happen and they get only the creds for the website being autofilled). Would recommend to anyone who then realises something is up when the autofill doesn't work, but ideally would have more evidence to back that up
[+] [-] megablast|1 year ago|reply
Well, ok then.
[+] [-] eviks|1 year ago|reply
But you didn't fall for it, a simple password manager technique worked as advertised?
[+] [-] maccard|1 year ago|reply
[+] [-] davchana|1 year ago|reply
[+] [-] Eikon|1 year ago|reply
There’s indeed a lot of them :)
[+] [-] perryh2|1 year ago|reply
[+] [-] inetknght|1 year ago|reply
You might want to install some browser extensions to block content. Then block all content (set to whitelist) and selectively add the sites you know.
If you end up on a new site with some amalgamation of letters that look familiar, the extension will rightfully block it and prompt you whether you want to whitelist or not. Big ole' red flag right there.
Of course it's not foolproof. It is just another layer in the strategy of defense-in-depth.
[+] [-] ebilgenius|1 year ago|reply
[+] [-] braiamp|1 year ago|reply
[+] [-] do_not_redeem|1 year ago|reply
[+] [-] layman51|1 year ago|reply
[1]: https://news.ycombinator.com/item?id=42450221
[+] [-] ArkaneMoose|1 year ago|reply
> Hack Clubbers have determined that this is almost definitely a bug in Google Workspace where you can create a new Workspace with any g.co subdomain and get it to send some emails without verifying that you own the domain.
Seems like this is the flow:
1. Create a Google Workspace with a g.co subdomain. Apparently this is not verified, or verifying the domain is not necessary for the next steps.
2. Create an account for the victim under this Google Workspace.
3. Reset that account's password.
The victim gets an email from Google Workspace informing them that their password was reset. And this email is a real, legitimate (not spoofed) email from Google because it's just a result of the normal password reset process for a Google Workspace account.
[+] [-] aramsh|1 year ago|reply
It's definitely a glitch where you can send emails/transactional emails from an unverified Google Workspace. My guess is that their are protections for google.com and google domains but they forgot to add the g.co domain, which allows unverified sending to g.co and creation of workspaces.
[+] [-] nemothekid|1 year ago|reply
I always verify that I'm actually fucked and then take action. This seems counter-intuitive but the deluge of phishing emails makes me feel this is the safest option. I'd rather wait to notice a fraudulent charge and dispute it, than leak info to a random SMS number that claims (possibly truthfully) that someone in Japan spent $9000 at the gucci store.
[+] [-] ronnier|1 year ago|reply
[+] [-] renewiltord|1 year ago|reply
Caller ID being spoofed is the wrong way to think about this. It's just that if someone walks up to you and says "Hey, I'm Jean d'Eau and I'm President of the US" you don't think to yourself "oh yeah he's definitely President and that's his name".
People can always tell you they're whoever they want to be. You can either believe it or go find out if they are.
[+] [-] pavel_lishin|1 year ago|reply
> The thing that's crazy is that if I followed the 2 "best practices" of verifying the phone number + getting them to send an email to you from a legit domain, I would have been compromised.
He didn't follow the first of those best practices. He just looked up a phone number that the caller also read out to him, and didn't call it. And "Solomon" also explicitly told him he couldn't call.
I honestly think that at this point, no incoming phone call can ever be trusted.
[+] [-] lolinder|1 year ago|reply
The phone number best practice has always been constructed as "call them back at a known good number, preferably one written on paper or on your card". You certainly don't ask them to show you where on the company website the phone number is listed.
And asking the person on the phone with you to send you an email from a specific domain is likewise not something I've ever seen recommended: that's one of several things you check to see if an email is phishing (And only one of several! A good domain isn't enough to clear an email!) But if you're already on the phone with someone suspicious, the best practice has always been to get off the phone with them immediately and call a known number, not to ask the caller to prove themselves.
None of this is to blame OP for misunderstanding, it's just very clear that we need to do better at communicating these rules out to the world.
[+] [-] numbsafari|1 year ago|reply
They can't. And they haven't been for a while. Spoofing phone calls is simply too easy, and nothing is being done to fix that, despite the fact that it puts so many of us at risk. It's not an insurmountable problem, technologically. It is literally a lack of will and outcry from ordinary people, despite how often this fact is used to abuse so many.
Credit Card companies have known this for a long time. My credit card company will call and say "do not call back to this number, call the number on the back of your card and use this reference number".
That should absolutely be the norm at this point.
[+] [-] ksala_|1 year ago|reply
[+] [-] rekabis|1 year ago|reply
This is where a big mistake is. Always, ALWAYS phone or contact back using the company’s official channels. Because if they have sufficient info about you, scammers can make a call sound hella legitimate, but one thing they still cannot do is pick up the company’s phone for them when you phone in. Especially if you call from a hardline, which requires compromising the phone company’s switching equipment.
Even my father, nearly 86 with a 5th grade education and slowly sliding into dementia, knows better than to uncritically accept being directly contacted. He’s already short-circuited several scams (of various types) in the last few years by hanging up and phoning back in himself.
[+] [-] pests|1 year ago|reply
I forget the details, but most of the country was wired in a manner that both parties of a call had to hang up to end the connection.
You might hang up, go find the official phone number, but when you pick the phone off the cradle you would still be in the previous call. They could fake the dial tone and you would be none the wiser.
I remember pranking friends with this back when I was young. Harmless stuff.
[+] [-] jrochkind1|1 year ago|reply
I have no idea where I'd find one of those.
[+] [-] insane_dreamer|1 year ago|reply
The problem, and the reason why that scam approach works half the time, is that calling back is a huge PITA these days between 1) endless routing menus or some "smart" AI bot that is f*ing useless (seriously, I have never been helped to my satisfaction by one of those), 2) long long long hold times to get to a human, if you ever do, because every single company is always "expecting greater than usual call volumes" -- wtf? call volume distributions are Gaussian, ok? so adjust accordingly.
[+] [-] philipwhiuk|1 year ago|reply
In reality the number your phone carrier provides is basically a guess. It does in no way guarantee who is calling you.
[+] [-] gm678|1 year ago|reply
[+] [-] blevinstein|1 year ago|reply
https://www.reddit.com/r/googleworkspace/s/NtJpputXtg
There was something in Google workspace that allowed the scanners to have an email sent to them, AND an additional and of their choice. But when I asked about calling them back, I was told that wasn't possible, which made me suspicious.
[+] [-] rvnx|1 year ago|reply
-> There is a sophisticated one where you can take over an account via the Account Recovery flow, that is still actively abused; tried to report, got "not a bug, triaging as abuse risk"
[+] [-] idlephysicist|1 year ago|reply
[+] [-] ravetcofx|1 year ago|reply
[+] [-] llm_nerd|1 year ago|reply
Now to be fair they all end up in the spam folder, but these are emails sent from [email protected] (SPF passing and originating from a Google IP), albeit with a phishing FROM name like "Meta for Business". I have hundreds of these in my spam folder, telling me that my Meta campaigns (I don't have any Meta campaigns and don't interact with that business at all) have been suspended, etc, clearly hoping to takeover someone's Meta business account.
Like when Google's Calendar invites were massively used for spam, I just don't understand how that company rolls out services and doesn't foresee the malusage.
[+] [-] kilroy123|1 year ago|reply
[+] [-] berkes|1 year ago|reply
So, [email protected] for https://shop.example.com account(s). I've recently switched to a randomized username part, as bitwarden supports this well.
This has saved me numerous times from scams². Because scammers would email me on the wrong address. Either they'd mail me on an adress listed on my website, when the actual company would've mailed on the unique address I gave them (more targeted phishing). Or they'll mail me on an address that I know to be leaked (these are redirected to spam in filters).
I am convinced there's an actual solution to a lot of scamming here, if the UX and UI are carefully designed. To be used by "muggles", not just the crowd that knows things like filters and catch-alls and plus-appended etc. It's a pity Google, Microsoft or even proton aren't actively promoting such a "unique mail for every service". But I guess there's little in it for them.
¹ used to self host, but now that's near impossible with the monopolies on mailserves at big tech and moved to mailbox.org. big shoutout!
² aside from the other great benefit. I'm often one of the first to know some service or site was compromised by receiving scam, spam etc. A few times I was even the one to report a breach to such an org via this.
[+] [-] internetter|1 year ago|reply
[+] [-] quickthrowman|1 year ago|reply
Emphasis mine.
Also, if a human called me and claimed to be working for Google, I would laugh heartily and hang up the phone. Google doesn’t even have call in tech support, why would they call you for something as banal as a compromised account?
[+] [-] nejsjsjsbsb|1 year ago|reply
A non tech person wouldn't know Google has bad support and is unlikely to call you, that a number and email can be spoofed, etc. And even if 99% didn't fall for it, just 100 calls gets the scammer a victim on average.
[+] [-] croemer|1 year ago|reply
Starting at 1:58 here: https://cloud-3s03ljpcy-hack-club-bot.vercel.app/0call_recor...
[+] [-] zachlatta|1 year ago|reply
[+] [-] adrr|1 year ago|reply
[+] [-] jorams|1 year ago|reply
[+] [-] sethops1|1 year ago|reply
Nope. Rule #1 in today's environment is never pick up the phone. If you're not expecting the call they can leave a message. And if it's something you think is legitimate, get the authentic number from a reputable source.