Google's official URL shortcut is compromised
https://gist.github.com/zachlatta/f86317493654b550c689dc6509973aa4
g.co, Google's official URL shortcut (update: or Google Workspace's domain verification, see bottom), is compromised. People are actively having their Google accounts stolen.
Someone just tried the most sophisticated phishing attack I've ever seen. I almost fell for it. My mind is a little blown.
- Someone named "Chloe" called me from 650-203-0000 with Caller ID saying "Google". She sounded like a real engineer, the connection was super clear, and she had an American accent. Screenshot.
- They said that they were from Google Workspace and someone had recently gained access to my account, which they had blocked. They asked me if I had recently logged in from Frankfurt, Germany and I said no.
- I asked if they can confirm this is Google calling by emailing me from a Google email and they said sure and sent me this email and told me to look for a case number in it, which I saw in the email string. I asked why it said important.g.co and she said it was an internal Google subnet.
OK, so that can't be from a google.com email, right? It must be a spoofed email using g.co, which doesn't have DKIM / SPF turned on - right? Nope.
originally posted at https://stacker.news/items/862671