Security often hinges on a single decision, a moment of doubt. As phishing attacks become more intricate, even standard security measures may not suffice. Last week, Zach Latta experienced a near-successful phishing attempt that highlights this growing threat.
Zach’s background is impressive. At 16, he became a lead backend developer, and later, a Thiel Fellow. He founded Hack Club, a nonprofit reaching schools across multiple states and countries. His technical expertise makes him an unlikely target for typical phishing scams. When he shared his experience with a sophisticated attack on GitHub, it underscored how convincing scams have become.
A Google Impersonation
The phone call appeared legitimate. The caller, “Chloe,” sounded like a Google support representative, with a flawless American accent and a clear connection.
Screenshot credit: Zach Latta
Chloe claimed someone accessed Zach’s account from Frankfurt, Germany. When Zach denied recent logins from there, she offered immediate assistance, a classic social engineering tactic: create urgency and then offer help.
Confirm Suspicious Activity
Step 1: Independently verify the suspicious activity by checking your account’s security logs.
Step 2: Manually type the URL of the service in question (e.g., google.com, microsoft.com) into your browser.
Step 3: Navigate to the security or activity section of your account settings.
Step 4: Look for unusual login locations, times, or devices.
Step 5: If you find any suspicious activity, immediately change your password and enable or strengthen multi-factor authentication.
Building the Trap
This phishing attempt was unusually sophisticated. When Zach requested verification via email from a Google address, the scammer complied, sending an email from “important.g.co,” which appeared legitimate. The email headers and formatting matched Google’s style perfectly.
Gut Instinct and a 2FA Revelation
Despite the convincing details, Zach felt uneasy. He checked his Google Workspace logs but found no suspicious login attempts.
“Chloe” explained that cache delays might be hiding the activity and gave detailed instructions for checking specific logs, maintaining the illusion of expertise.
Enter “The Manager”
Mid-call, Zach received another call from “Solomon,” Chloe’s manager. He mentioned the log issue and offered personal assistance, suggesting Zach’s Gmail account might be compromised via a malicious Chrome extension.
As the conversation progressed, Zach grew more suspicious. When he asked Solomon to show him the support phone number on google.com, Solomon directed him to a page where the number appeared only under “Google Assistant.”
When Zach asked if he could call back – something “Chloe” previously allowed – Solomon refused. Zach decided to play along.
He agreed to reset the account. Solomon instructed him to check his phone for a code, claiming it would log him out of all devices, including the “Frankfurt computer.”
“It should pop up on your screen and say ‘84,’” Solomon said confidently. Indeed, 84 was among the codes displayed.
This was the turning point. Legitimate two-factor authentication codes are random and known only to the user. Solomon’s knowledge of the code revealed his true intentions: tricking Zach into approving a malicious account access request.
Recording the Ruse
After the “84” code exposed the scam, Zach began recording the call, which his iPhone announced to Solomon.
Solomon tried to regain credibility by directing Zach to his LinkedIn profile. However, the scam was already exposed.
When Zach pressed him about the attack, Solomon sent one last fraudulent two-factor code before ending the call.
The (Almost) Perfect Hack and the Vulnerability
This attack was particularly disturbing because it weaponized standard security advice. As Zach noted, following the “best practices” of verifying the phone number and receiving an email from a legitimate domain would have led to compromise.
Further investigation revealed a potential vulnerability in Google Workspace: the ability to create workspaces with any g.co subdomain without proper ownership checks. The attackers sent a seemingly legitimate email by exploiting this flaw.
The attack demonstrated remarkable precision:
-
A spoofed phone number from Google’s support pages.
-
Real-time social engineering tailored to each question.
-
Exploitation of Google’s domain verification.
-
Perfect email forgery using a legitimate subdomain.
Zach reflected that he was “literally one button press from being completely pwned,” despite his technical expertise.
Phishing Prevention Methods
While the case above was focused on a Google Workspace account, the methods used by scammers apply to different account types as well. Here are a few methods to consider in order of effectiveness.
Use a Password Manager with Phishing Detection
Password managers like 1Password and Bitwarden are the most effective methods of preventing account takeovers. These password managers offer phishing detection by automatically filling in login credentials only on the correct, legitimate website. If a user is on a fake or phishing site, the password manager will not fill in the credentials, alerting the user to a potential scam. This method significantly reduces the risk of entering credentials on fraudulent sites, as it relies on the password manager’s built-in security checks.
Enable Multi-Factor Authentication (MFA)
This adds an extra layer of security beyond just a password. Even if a scammer obtains your password, they’ll need a second verification factor (like a code from your phone) to access your account.
* Use an authenticator app (like Google Authenticator or Authy) instead of SMS codes, as SMS codes can be intercepted.
Verify Communication Channels Independently
Step 1: If you receive an unexpected email or call from a company or service, don’t immediately trust the contact information provided in the message.
Step 2: Independently find the company’s official website through a search engine or by typing the address directly into your browser.
Step 3: Look for a “Contact Us” or “Support” section on the official website.
Step 4: Use the contact information provided on the official website to reach out to the company and verify the legitimacy of the original communication.
Double-Check Links and URLs
Step 1: Before clicking on any link, hover your mouse over it to see the full URL.
Step 2: Examine the URL closely, looking for any misspellings, extra characters, or unusual domain names.
Step 3: If the URL looks suspicious, don’t click on it. Instead, manually type the website address into your browser.
Be Skeptical of Urgent Requests
Step 1: Scammers often try to create a sense of urgency to pressure you into acting quickly.
Step 2: Be wary of any email or call that demands immediate action, such as “Your account will be suspended if you don’t act now.”
Step 3: Take your time to evaluate the situation carefully and verify the request through official channels.
Check Email Headers
Step 1: Open the email in your email client.
Step 2: Look for an option to view the email headers (this option varies depending on the email client).
Step 3: Examine the headers for any inconsistencies, such as mismatched “From” and “Reply-To” addresses or unusual routing information.
Exercise Caution with Attachments
Step 1: Be very careful when opening email attachments, especially from unknown senders.
Step 2: Scan attachments with a reputable antivirus program before opening them.
Step 3: Avoid opening attachments with executable file extensions (e.g., .exe, .scr) unless you are absolutely sure they are safe.
Keep Software Updated
Step 1: Regularly update your operating system, web browser, and other software to patch security vulnerabilities.
Step 2: Enable automatic updates whenever possible to ensure that you have the latest security patches.
Educate Yourself
Step 1: Stay informed about the latest phishing tactics and scams.
Step 2: Read security blogs, follow security experts on social media, and attend security awareness training sessions.
This incident highlights the sophistication of modern scams and the importance of vigilance, even for technical experts.