In addition: trust no inbound communications. If something is in fact urgent, it can be confirmed by reaching out, rather than accepting an inbound call, to a number publicly listed and well known as representative of the company.
These scams will only get better, they will impersonate your loved ones, your best friends, your children, and plead with you to save them by handing over money or information, but it will all be a ruse. The only things that can prevent this outcome are: positive ironclad proof of identity / personhood / company representation, or ongoing rejection of belief in inbound communications.
Your story has reinforced my skepticism of crypto as a secure way for ordinary Americans to hold money. I'm sorry this happened to you, but as far as I understand, this is an attack nearly impossible to sustain with traditional banking.
Yes, agreed. Most people probably shouldn’t hold a lot of crypto, including myself. I think we need an extra layer on top of crypto for average customers, that act much like traditional banks—ie they secure your crypto for you, keep it secure, monitoring transactions for fraud, etc.
A friend of mine was also locked out of his account by a single mistake and he could not recover from this. He approved a request on his phone that he should not have and within a couple of minutes all of his 2fa methods were removed and replaced with others. He was logged out on all his devices in the time he noticed what was going on. There was no way for him to get back into his account. None of the safety mechanisms worked like logging in from a machine or device he frquently used. The automated process to recover the account was not working no matter what he tried. There is also no way to contact anyone for support as you need to login for this. There is only the automated processes if you are logged out. The attacker took control of all his documents, photos, mails, his whole identity and there is nothing he can do about it.
It was a login confirmation, I don't know all the details but it was some bad timing and not double checking the details of the confirmation as far as I remember. Still it should not be possible to take over the whole Google account with a single wrong click and no further confirmation and no way to intervene. Especially removing all the existing 2fa and logging out all devices should not be possible without triggering some kind of safety measures or another confirmation.
I'm so sorry for your friend. That just sucks. It's appalling that Google doesn't have at least 100 people dedicated to hacked accounts and methods by which they were hacked. It would be a drop in the bucket for them and would result in a much more robust email service. Just pure laziness on their part.
Can you share more info about how this was actually pulled off?
Very worrying that gmail app can display a spoofed email as legit from google.com. And concerning that google doesn't use features like verified logo or blue tick on their own official emails anyway. What was the actual email header? what in the header would have told you something was off?
So sorry this happened -- I have actually received these calls / emails and they definitely looked legitimate. I think the caller ID thing is pretty easy to spoof which is sad. The phone said "Google" is calling and I figured it was a scam and did talk to the scammer briefly since I wanted to see what their technique was. I hung up after about a minute but I do remember the scammer having a good English accent (native sounding I think) -- but I think it was actually a very good A.I. voice that maybe was directly human controlled since it was quick and seemed to respond to my questions accurately; but there was a curious ~2 second delay which was not super slow, but was too slow to feel realistic.
No, the code I read to them was a Google account recovery code. That’s how they accessed my Google account.
Then the attacker used Google SSO to perform the initial log in to my coinbase account. Then they opened Google Authenticator, signed in as me, to get the coinbase auth code so they could complete coinbase’s 2fac.
Sorry to hear that. I hope these scammers mess up and get caught eventually. One thing isn't clear to me, though: how did the attacker get access to your Coinbase account? My understanding is that he needed your username and password for this in addition to the authenticator code.
Lucky for you Coinbase have set up a fund for people who got scammed through social engineering attacks due to their recent security fuckup.
Regardless of whether you received an email from Coinbase notifying that you were affected, the attack they suffered is much larger than they let on to the SEC.
You are very brave to share your story and I am sure it will help others. I'm so sorry that happened to you. There scams are becoming so advanced! Check out my profile - this is what I do!
It scares me that this happened to YOU. You know what you are doing. You know how an authentic email should look.
I'm so out of my comfort zone with all this information. I don't even have Google authenticator activate, from what I can tell. My passwords are a mess. I tried to use a password manager and that too was over my head and ended up getting me locked out of some things. Also, from what I read I am a targeted demographic at the mercy of a phone call that looks and sounds like it is coming from my grandson.
On top of all that ALL of my personal data has been breached multiple times, every single detail. I have free credit monitoring for the rest of my life. Whoopie! Sometimes I just feel like would someone please go ahead and take all my assets so I can quit worrying about it. Thanks for sharing. I'll try to start updating the almost 400 passwords my phone says I need to update.
For your very reason, Google-synced passwords and Google-synced authenticator is no longer a 2FA. It is 1FA with a small hurdle. Do people from Bitwarden hear me?
Everybody: keep passwords and code generators on separate services (separate devices if possible).
Another idea is to use an alias email service like simplelogin.io. Even better, pay for an upgraded plan on proton.me that provides secure email and integrates with simplelogin. Also comes with drive, calendar, VPN, authenticator app, etc.
In addition: trust no inbound communications. If something is in fact urgent, it can be confirmed by reaching out, rather than accepting an inbound call, to a number publicly listed and well known as representative of the company.
These scams will only get better, they will impersonate your loved ones, your best friends, your children, and plead with you to save them by handing over money or information, but it will all be a ruse. The only things that can prevent this outcome are: positive ironclad proof of identity / personhood / company representation, or ongoing rejection of belief in inbound communications.
No possible with google they don't have public numbers for you to contact them on.
You can have a live chat or a call back through Google One but that's it.
Got got in the same scam! They also trying to target my Coinbase, luckily I had nothing left there haha. Read more here:
https://www.linkedin.com/posts/srujan-jonnadula_had-an-interesting-morning-today-i-got-activity-7353148996657311747--o-P?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAgjE-8BAGuq9Zd8326SuhGYQ0X6LlCYst4
Thanks for sharing!
Your story has reinforced my skepticism of crypto as a secure way for ordinary Americans to hold money. I'm sorry this happened to you, but as far as I understand, this is an attack nearly impossible to sustain with traditional banking.
Yes, agreed. Most people probably shouldn’t hold a lot of crypto, including myself. I think we need an extra layer on top of crypto for average customers, that act much like traditional banks—ie they secure your crypto for you, keep it secure, monitoring transactions for fraud, etc.
A friend of mine was also locked out of his account by a single mistake and he could not recover from this. He approved a request on his phone that he should not have and within a couple of minutes all of his 2fa methods were removed and replaced with others. He was logged out on all his devices in the time he noticed what was going on. There was no way for him to get back into his account. None of the safety mechanisms worked like logging in from a machine or device he frquently used. The automated process to recover the account was not working no matter what he tried. There is also no way to contact anyone for support as you need to login for this. There is only the automated processes if you are logged out. The attacker took control of all his documents, photos, mails, his whole identity and there is nothing he can do about it.
Are your free to give more information about the request on his phone? (To help others avoid the same mistake.)
It was a login confirmation, I don't know all the details but it was some bad timing and not double checking the details of the confirmation as far as I remember. Still it should not be possible to take over the whole Google account with a single wrong click and no further confirmation and no way to intervene. Especially removing all the existing 2fa and logging out all devices should not be possible without triggering some kind of safety measures or another confirmation.
That is crazy. It's a huge gaping hole in Gmail security. Your friend's situation should also be on the front page of HN.
I tried to get some attention but it didn't work. I wrote this on medium back then and shared it on HN:
https://medium.com/@martin.juecker/why-google-account-protection-will-not-save-you-44918a5cb125
I'm so sorry for your friend. That just sucks. It's appalling that Google doesn't have at least 100 people dedicated to hacked accounts and methods by which they were hacked. It would be a drop in the bucket for them and would result in a much more robust email service. Just pure laziness on their part.
Thanks for the honest write up.
Can you share more info about how this was actually pulled off?
Very worrying that gmail app can display a spoofed email as legit from google.com. And concerning that google doesn't use features like verified logo or blue tick on their own official emails anyway. What was the actual email header? what in the header would have told you something was off?
I updated the post with some notes about the headers at the end.
So sorry this happened -- I have actually received these calls / emails and they definitely looked legitimate. I think the caller ID thing is pretty easy to spoof which is sad. The phone said "Google" is calling and I figured it was a scam and did talk to the scammer briefly since I wanted to see what their technique was. I hung up after about a minute but I do remember the scammer having a good English accent (native sounding I think) -- but I think it was actually a very good A.I. voice that maybe was directly human controlled since it was quick and seemed to respond to my questions accurately; but there was a curious ~2 second delay which was not super slow, but was too slow to feel realistic.
i have my phone number set to do not disturb. Calls go to voicemail to be reviewed. For any concerning messages, I contact the company directly
That's terrible! Did the attacker ask you to read a code from your Google Auth app?
No, the code I read to them was a Google account recovery code. That’s how they accessed my Google account.
Then the attacker used Google SSO to perform the initial log in to my coinbase account. Then they opened Google Authenticator, signed in as me, to get the coinbase auth code so they could complete coinbase’s 2fac.
This is why Google Authenticator cloud sync is a vulnerable and dangerous feature.
Sorry to hear that. I hope these scammers mess up and get caught eventually. One thing isn't clear to me, though: how did the attacker get access to your Coinbase account? My understanding is that he needed your username and password for this in addition to the authenticator code.
I think they used Google SSO on Coinbase (“sign in with Google”). I’m going to stop using Google SSO as well.
Lucky for you Coinbase have set up a fund for people who got scammed through social engineering attacks due to their recent security fuckup.
Regardless of whether you received an email from Coinbase notifying that you were affected, the attack they suffered is much larger than they let on to the SEC.
https://www.coinbase.com/blog/protecting-our-customers-standing-up-to-extortionists
You are very brave to share your story and I am sure it will help others. I'm so sorry that happened to you. There scams are becoming so advanced! Check out my profile - this is what I do!
It scares me that this happened to YOU. You know what you are doing. You know how an authentic email should look.
I'm so out of my comfort zone with all this information. I don't even have Google authenticator activate, from what I can tell. My passwords are a mess. I tried to use a password manager and that too was over my head and ended up getting me locked out of some things. Also, from what I read I am a targeted demographic at the mercy of a phone call that looks and sounds like it is coming from my grandson.
On top of all that ALL of my personal data has been breached multiple times, every single detail. I have free credit monitoring for the rest of my life. Whoopie! Sometimes I just feel like would someone please go ahead and take all my assets so I can quit worrying about it. Thanks for sharing. I'll try to start updating the almost 400 passwords my phone says I need to update.
For your very reason, Google-synced passwords and Google-synced authenticator is no longer a 2FA. It is 1FA with a small hurdle. Do people from Bitwarden hear me?
Everybody: keep passwords and code generators on separate services (separate devices if possible).
Oh that's painful, so so sorry to hear that. It's a real shock to the system, like the hugest gut punch ever. Totally violated and helpless.
Here's an old article about getting off google (a little extreme but you get the point): https://www.techtransparencyproject.org/articles/quitting-google (use Brave or TOR browser and Brave search).
Another idea is to use an alias email service like simplelogin.io. Even better, pay for an upgraded plan on proton.me that provides secure email and integrates with simplelogin. Also comes with drive, calendar, VPN, authenticator app, etc.
Use Bitwarden password manager.
Use passkeys instead of passwords if available.