Introduction

In a bold response to a recent surge in account takeover scams, Google has ramped up its security measures following alarming revelations shared by Zach Latta, founder of Hack Club. Latta recounted a terrifying close-call experience with voice phishers seeking to hijack his Google account through an impressively deceptive scheme.

The Scam Encounter

Latta's harrowing encounter began when he received a phone call from an individual claiming to represent the Google Workspace team. The caller alleged that they detected unusual login attempts from Frankfurt and urged Latta to reset his password immediately. The call, originating from the legitimate-sounding number 650-203-0000—usually linked to automated Google Assistant services—added to the apparent authenticity of the scam.

The scammer, who introduced herself as "Chloe," spoke with a convincingly native American accent over an eerily clear line. Initially believing he was speaking with a real Google representative, Latta wisely chose to verify the authenticity of the call. He requested a real email from a Google domain, which he received from an unspoofed [email protected] address. Even when he asked if he could call the number back, Chloe seemed relaxed and agreeable, making it even more difficult to suspect foul play.

Red Flags and Confusion

The deception began to unravel when another supposed Google employee, "Solomon," took over the conversation. His conflicting information and prompts to press specific numbers raised red flags for Latta, though he was still presented with an authentic-sounding two-factor authentication (2FA) code that appeared on his device, complicating his decision further.

Latta reflected on the sophistication of the tactics used, stating, “If I had followed the 'best practices' by verifying the phone number and getting confirmation through email, I would have been compromised. The fact that I almost fell victim to this makes it clear how dangerous these scammers can be.”

Exploiting the g.co Subdomain

The use of the g.co subdomain by the scammers played a critical role in their strategy. They were able to create a Google Workspace account using g.co without verification, subsequently launching password reset emails that appeared legitimate given they came from Google itself.

Google's Response

A spokesperson for Google confirmed the account responsible for this scam had been suspended, stating, “While we haven’t seen evidence that this is a widespread issue, we are taking measures to strengthen our defenses against those looking to exploit the g.co domain in malicious activities.”

Importance of User Vigilance

In light of this incident, it's important to remind users that Google will never initiate a phone call to ask for sensitive information or assist with password resets, meaning any unsolicited calls should be treated with skepticism.

This incident is just one among many in a troubling pattern of incidents involving sophisticated phishing scams. Latta’s encounter mirrors another harrowing story shared by infosec journalist Brian Krebs, which involved a staggering $500,000 theft related to a Google account compromise.

With scams growing increasingly sophisticated not just for Google users but also for Apple customers, experts urge the importance of public education regarding the methods employed by scammers, which are continually evolving.

As the lines between legitimate calls and fraudulent activity blur, vigilance and skepticism remain the best defenses for users against these crafty cybercriminals.