top | item 45269598

(no title)

LeonM | 5 months ago

My best guess is that this attack was purely social engineering, and that no email spoofing actually happened. I think that the email message in question is actually a legit email from Google.

I'm not familiar with the formal account takeover process at Google, but my best guess is that the attacker simply requested an account takeover via the official Google process, which triggered this email to be sent by Google legitimately. By reading back the code in that email, the attacker was able to claim the Google account as theirs, thus access the Gmail inbox to reset the Coinbase password and access the authenticator backups from the Google Drive.

I would be very curious to see the original message headers of the email though.

discuss

freeplay|5 months ago

I don't think that email he posted from legal@google.com is legit.

Look at the first sentence of the first paragraph and the first sentence in the second paragraph. Two grammar errors which are a dead giveaway it's fraudulent.

> Thank you for your assistance and understanding during your recent support call, regarding a ficticious request aimed at accessing your Google account.

Comma doesn't belong there and "fictitious" is misspelled.

> To follow all guidelines of the internal review properly. Please keep a secure note with the temporary password which your support representative has provided to you.

Out of place period. Should be a comma.

Legit, canned emails like this (especially from legal@google.com) would be proofread much better than this. It's fake.

furyofantares|5 months ago

Yeah, that part doesn't add up. If the email was sent by the attacker, why did it have a code he needed to give the attacker?

davidscoville|5 months ago

Yes, at least two emails. One was the spoofed email from legal@google.com (which sadly convinced me this was legit) and the other was a Google recovery code email.

The spoofed email was deleted by the attacker, but I have a copy because I forwarded the email to phishing@google.com (something ChatGPT told me to do). The attacker then deleted the original but when I got my account back an hour later, Google bounced back the email. So that is the copy I have and the headers are not super helpful.

wmf|5 months ago

I think the attacker asked him to read an SMS code.

Beijinger|5 months ago

"reset the Coinbase"

You must be insane to use gmail for anything like banking, crypto, domains.

I lost access to my gmail account. I know the PW but I can't access the 2 factor authentication anymore.

kevin_thibedeau|5 months ago

This is why 2FA isn't all it's cracked up to be. Strong passwords kept in your head are less brittle than managing something you can lose. If you have a real support channel (like employer IT) to deal with loss it's workable. Online services with no support is just asking for trouble.

unknown|5 months ago

[deleted]

digianarchist|5 months ago

1password + hardware keys - I am not a large target though and use crypto transactionally.

nixosbestos|5 months ago

I'd certainly be insane to take security advice from people who don't use password managers