- A new phishing -fidus has targeted a Google Programmer
- The attack was worryingly convincingly and has got Google to tighten the defense in response
- Not sure how to find a phishing -fidus? Follow our tips
A new ultra-realistic phishing-fidus reported by a Google programmer could make many of us a little troubled.
Zach Latta, warned in a recent blog post, “Someone just tried the most sophisticated phishing attack I’ve ever seen. I almost fell for it. My mind is a little blown up. “
From a phone call from Caller’s ‘Google’, this phishing attempt was enough to convince a Google Programmer to be a button pressure away from disaster -here’s what we know so far.
A persuasive story
On the other side of Latta’s phone call, which is a real number associated with Google Assistant Calls, was a ‘Google Engineer’ called Chloe.
The connection was ‘super ready’, where Latta noted that the scammer had an American accent, claiming to be from Google Workspace – and asked if he had recently tried to log into his account from Frankfurt, Germany.
From there, the programmers asked if ‘Chloe’ could confirm this by e -maile from an official Google -e -Mail. Nudiastically, the scammer undertook and sent Latta an incredibly official looking e email with a case number.
Not only was the email sent, but it was sent from the address ‘Workspace-noreply@ Google.com’, and related to his ‘password to important.g.co’, which the striker claimed was an internal Google-Undernet. This is important because even our own Techradar Phishing Council identifies this as a serious indication of risk.
But G.CO is an official Google URL – confirmed by Google and even has its own Wikipedia page. Latta, who was a technical worker, knew how to verify the phone number, then the Google the number – and was invited to do so by the scammer who advised him to quote his case number if he called. The number is listed on Google.com pages, which were enough to place Latta enough.
The scammer urged Latta to perform a ‘session reset’ on his device that ranging alarm bells to the programmer. The fusure’s first stumbling block came when Latta checked its Google Works Area -Logger himself, and of course found no suspicious activity.
When he was pressed, Fidus began to loosen – with the striker who transferred to a manager who further called on Latta to log out of all devices and reset his password. Shocking was the scammer able to give the real MFA code sent to Latta, which, if entered, would have given the striker access to Latta’s account.
Fortunately, Latta was able to spot the red flags and at this point was already suspicious enough to avoid handing over his account – but the scammer got close, Latta admitted.
“Literally 1 button press from being completely pwned. And I’m pretty technical! “
This particular attack has made Google up with its defense in response.
“We have suspended the account behind this scam that abused a non -verified work area account to send these misleading e emails” A Google speaker told to Techradarpro.
“We haven’t seen evidence that this is a wide scale tactic, but we harden our defense against abusers who utilize G.CO references for registration to further protect users.”
Google also repeated, “Google will not call you to reset your password or troubleshooting account problems.”
The news follows a trend with cyber criminals who implement smarter and more frequent attacks, partly made possible by the emergence of AI. This particular scam even bypassed MFA and used a legitimate Google domain, so even the most technical-savvy among us should be looking.
Escapes phishing -attack
What relates especially to this scam is that it has found solutions for some of the classic narrative signs of a scam. As Latta said,
“What is crazy is that if I followed the 2” best practice “by verifying the phone number + getting them to send an e email to you from a legitimate domain, I would have been compromised.”
Checking the legitimacy of the E email and the phone number is basically the first recommendation for any unexpected communication – and it is still good advice, but it will clearly only filter the lower level attacks at this time. If you are not sure what is exactly a phishing attack, we have put together one explains.
That said, remains suspicious of any unknown communication, especially those who call for action, is truly the best defense against phishing attacks.
In the best possible way it is unlikely that you are important enough for Google to be concerned enough to call you about your personal E -mail account -so be very careful with someone who reaches out to you out of nowhere.
Told a google -spokesman Thereists“As a reminder, Google will not call users to reset their passwords or troubleshooting account problems, so you are welcome to treat any incoming calls like the waste they are.”
Look for any obvious markers such as poor spelling or grammar – and be aware of which organizations would already know your name – it is unlikely that your bank would start an e email with ‘dear customer’.
Next to it, avoid clicking links on E emails from people you don’t know, nor do you open attachments or scan QR codes. If you would like more details, look at our full phishing defense and how to stop it.
Another defense of fraud is to use the protection of best identity theft, which can help if you accidentally click the wrong thing.
