- A new Phishing scam has addressed a Google programmer
- The attack was worryingly convincing and has made Google tighten the defenses in response
- Are you not sure how to detect a phishing scam? Follow our advice
A new ultra realistic phishing scam informed by a Google programmer could make many of us a little restless.
Zach Latta, warned in a recent blog post, “someone has just proved the most sophisticated phishing attack I have seen. I almost fell in love with it. My mind is a bit blown.”
Starting with a phone call from the identification of calls 'Google', this Phishing attempt was enough to convince a Google programmer to be a button to press outside the disaster; This is what we know so far.
A convincing story
On the other side of the telephone call of Latta, which is a genuine number associated with Google Assistant calls, he was a 'Google' engineer called Chloe.
The connection was “super clear”, and Latta said the scammer had an American accent, and claimed to be from Google's work space, asking if he had recently tried to log in to his Frankfurt account, Germany.
From there, the programmer asked if 'Chloe' could confirm this by sending an email from an official Google email. Oblutingly, the scammer forced and sent to Latta an incredibly official aspect email with a case number.
Not only was the email sent, but it was sent from the direction 'workspace-noreply@ Google.com', and related to its 'password for important.g.co' that the attacker said he was an internal subnet of Google . This is important, because even our own Phishing Techradar advice identifies this as a serious risk indication.
But G.co is an official Google URL, which is confirmed by Google and even has its own Wikipedia page. Latta, as a technology worker, knew how to verify the phone number, so he is looking for the number on Google, and the scammer encouraged him to do it, who advised him to cite his case number if he called it. The number appears on the pages of Google.com, which was enough to placate the Latta sufficiently.
The scammer was encouraging Latta to carry out a 'session restart', on his device, which sounded the alarms for the programmer. The first obstacle of the scam occurred when Latta reviewed her Google Workspace records and, of course, found no suspicious activity.
When it was pressed, the scam began to unravel, with the attacker transferred to a manager who encouraged Latta even more to close the session of all devices and restore his password. Surprisingly, the scammer was able to provide the genuine MFA code that was sent to Latta, which, if entered, would have given the attackers access the Latta account.
Fortunately, Latta was able to detect the red flags and at this point, it was already suspicious enough to avoid delivering her account, but the scammer approached, Latta admitted.
“Literally, 1 button presses from completely Pwed. And I am quite technical! “
This particular attack has turned Google into its defenses in response.
“We have suspended the account behind this scam, which abused a work space account not verified to send these deceptive emails,” said a Google spokesman Techradarpro.
“We have not seen evidence that it is a large -scale tactic, but we are hardening our defenses against abusers who take advantage of G.co references to the record to protect users even more.”
Google also reiterated: “Google will not call it to restore your password or solve accounts problems.”
The news follows a cybercriminal trend that unfolds more intelligent and more frequent attacks, partly enabled by the advent of AI. This particular scam even overlooked MFA and used a legitimate Google domain, so even the most expert in technology among us should be in the watchman.
Escaping phishing attacks
What is aware of this scam in particular is that it has found solutions for some of the classic signs of a scam. As Latta said,
“What is crazy is that if I followed the 2” best practices “to verify the phone number + get them to send an email from a legitimate domain, I would have committed me.”
Verify the legitimacy of the email and the telephone number is more or less the first recommendation for any unexpected communication, and that remains good advice, but clearly only filter the lower level attacks at this time. If you are not sure what exactly a Phishing attack is, we have gathered an explanatory.
That said, continue to suspect each and every one of the unknown communications, especially those who urge action, it really is the best defense against Phishing attacks.
In the most kind way possible, it is unlikely that it is important enough for Google to worry enough to call it about your personal email account, so be very careful with anyone who approaches from nothing.
A Google spokesman said For it“As a reminder, Google will not call users to restore their passwords or solve accounts problems, so do not hesitate to treat any incoming call like the garbage they are.”
Be attentive to any obvious marker, such as bad spelling or grammar, and keep in mind what organizations they would already know their name, it is unlikely that your bank begins an email with 'dear client'.
Along with that, avoid clicking on any link in the emails of people who do not know and do not open the attachments or scan the QR codes. If you want more details, take a look at our complete Phishing defense and how to stop it.
Another defense layer against scam is to use the best identity theft protection, which can help if clicking on the wrong.
