Google's official URL shortcut is compromised \ stacker news ~security

pull down to refresh

Google's official URL shortcut is compromised gist.github.com/zachlatta/f86317493654b550c689dc6509973aa4

2075 sats \ 20 comments \ @nym 24 Jan security

g.co, Google's official URL shortcut (update: or Google Workspace's domain verification, see bottom), is compromised. People are actively having their Google accounts stolen.

Someone just tried the most sophisticated phishing attack I've ever seen. I almost fell for it. My mind is a little blown.

Someone named "Chloe" called me from 650-203-0000 with Caller ID saying "Google". She sounded like a real engineer, the connection was super clear, and she had an American accent. Screenshot.
They said that they were from Google Workspace and someone had recently gained access to my account, which they had blocked. They asked me if I had recently logged in from Frankfurt, Germany and I said no.
I asked if they can confirm this is Google calling by emailing me from a Google email and they said sure and sent me this email and told me to look for a case number in it, which I saw in the email string. I asked why it said important.g.co and she said it was an internal Google subnet.

OK, so that can't be from a google.com email, right? It must be a spoofed email using g.co, which doesn't have DKIM / SPF turned on - right? Nope.

view all related items

347 sats \ 1 reply \ @SimpleStacker 24 Jan

That's crazy. But to me the least believable part is that someone from Google would ever call me directly. I mean, have you tried talking to a real person at a tech company before?

12 sats \ 0 replies \ @Bell_curve 18h

don't answer your phone

26 sats \ 0 replies \ @dingding541 24 Jan

And our scam radars are pretty alert but this is the scammers stepping up another level.

Scary for us

Disastrous for normies

135 sats \ 6 replies \ @ek 24 Jan

The first evidence that it was a scam was that you received a call from Google support

9 sats \ 5 replies \ @Bell_curve 18h

exactly

@nym considers himself or herself a privacy expert ... time to change your credentials otherwise it's misinformation and borderline fraudulent advertising

0 sats \ 4 replies \ @nym OP 15h

I’m not selling anything

0 sats \ 3 replies \ @Bell_curve 15h

privacy enthusiast

"I don't do Telegram"

you don't sell anything now that you have been humbled

0 sats \ 1 reply \ @nym OP 13h

I had to mute my first person on SN unfortunately. I didn't realize they were a troll at first.

0 sats \ 0 replies \ @Bell_curve 5h

I guess that first person is me

Do I win a prize?

Announcing that you are muting someone is a sign of mental illness

0 sats \ 0 replies \ @nym OP 13h

deleted by author

49 sats \ 0 replies \ @Aardvark 24 Jan

I'm just waiting for the phone call from my dad telling my his robinhood account got drained.

Probably time for me to call him with another reminder that anyone calling him for any reason is trying to steal from him.

24 sats \ 0 replies \ @JesseJames 24 Jan

Here is the conclusion: Stop using google...lol

15 sats \ 0 replies \ @WeAreAllSatoshi 17h

I would suggest block-quoting the copy-pasted text so readers on SN don’t think this is your original content, but rather from the shared link

4 sats \ 0 replies \ @jamalderrick 13h

Yeah if any corporations calls me without me calling first or submitting a claim ticket of some sort, I hang up immediately!

6 sats \ 1 reply \ @Bell_curve 18h

next time, wait 24 hours and see what happens

or sleep on it

I mean you are the self proclaimed privacy expert

after all you don't use or trust Telegram but you trust random phone calls... how do you reconcile these contradictions? stupidity?

for someone who is so quick to dismiss Telegram with more than a hint of arrogance and condescension, you have zero excuse

send unrecognized calls to voicemail

Chloe is a stripper name

4 sats \ 0 replies \ @Bitcoinisawesome 13h

Chloe is my cats name you son of a bitch

23 sats \ 0 replies \ @sasasuina 25 Jan

That's just ridiculous—it gave me cold sweats just reading!

21 sats \ 0 replies \ @john_doe 25 Jan

Impressive. Because of my setup (SMS only voip number) I can't get scams this way but good to know for average people it got this far. A reply on the GitHub gist says it was likely using Google Assistant AI for the voice. An AI detecting AI scams could be a good business idea.

20 sats \ 0 replies \ @NovaRift 24 Jan

What a scammy world it is becoming. Sometimes this panics me; what if I am the next? 😂 But yeah, a major red flag here is that big FAANGs don't call you.

15 sats \ 0 replies \ @JesseJames 24 Jan

IPs check though, so not sure.... call from them is a big red flag for me...