Cybercriminals recently exploited Google’s g.co subdomain to carry out a meticulously crafted scam over a vishing call. The incident was chronicled by Zach Latta, founder of Hack Club, who nearly fell victim to the attack.
His account sheds light on the increasing sophistication of phishing techniques, even targeting tech-savvy users.
The attack began with a phone call from a number labeled as “Google” on the Caller ID, complete with an official-looking number: “650-203-0000.”
The caller, claiming to be “Chloe” from Google’s Workspace Support team, informed Zach that his account was under threat due to suspicious login attempts from Frankfurt, Germany.Chloe spoke confidently, presenting what seemed to be legitimate security procedures.
To make her story more believable, she followed up with an email sent from an official-looking domain: important.g.co.
The email’s professional tone and alignment with the story added credibility to the scam.
“OK, so that can’t be from a google.com email, right? It must be a spoofed email using g.co, which doesn’t have DKIM / SPF turned on – right? Nope.” Zach said.
You might think that “important.g.co” is an unofficial URL, similar to those used in Google Docs phishing attacks.
However, it’s actually an official Google URL, and Google itself confirms this. “About g.co
“You’ve arrived at this page because you typed or linked to “g.co”, Google’s official URL shortcut just for Google websites.”
“Whenever you see a short “g.co” link, you can trust that it will always take you to a Google product or service.”
The Scammer’s Conversation with Zach
As Zach pushed for verification, another person entered the call, a “manager” named Solomon, who took over the conversation.
Solomon continued to press Zach for actions, including tapping a code sent to his phone. This code, if entered, would have granted full access to his Google account.
Something didn’t sit right with Zach. Despite the scammers’ polished performance, small inconsistencies began to raise suspicion.
Key details provided by Chloe and Solomon didn’t align, prompting Zach to think twice about their instructions.
When Solomon discouraged Zach from calling Google support directly, it became clearer that something was wrong. You can hear the last 7 minutes of audio conversation with the scammer posing as a Google employee.
The caller purportedly instructed the victim to visit a LinkedIn profile to verify their identity and confirm their employment at the tech giant.
After establishing credibility, the scammer sent a suspicious two-factor authentication code via text message.
The caller abruptly ended the conversation when the victim began asking further questions about the scam.
A deeper investigation revealed that the attackers were abusing Google’s g.co subdomain, a legitimate service used for URL shortcuts.
By exploiting a vulnerability in Google Workspace, they could create subdomains important.g.co without proper domain verification. This allowed them to send phishing emails that appeared genuine.
“The thing that’s crazy is that if I followed the 2 “best practices” of verifying the phone number + getting them to send an email to you from a legit domain, I would have been compromised.”
“I understand how they were able to spoof the “Google” phone call through Google Assistant, but I have no idea how they got access to important.g.co. g.co is a legitimate Google URL.” Zack shared his experience via GitHub.
Hack Clubbers have determined that this is almost definitely a bug in Google Workspace, suggesting that users can create a new Workspace using any g.co subdomain.
This loophole reportedly allows individuals to send emails without verifying ownership of the domain, raising concerns about the potential for malicious use.
If confirmed, this could have profound implications for security and phishing attempts, as scammers could exploit the flaw to impersonate trusted sources. Google has yet to comment on the issue, but experts urge caution until the matter is resolved.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates