Hackers leverage Google’s phone number, subdomains to attack victims


Scammers managed to call a victim using Google’s phone number, which is listed on the official support website, and then send an email from an official subdomain. It's unclear how threat actors might have abused Google’s features.

Software engineer Zach Latta, a founder of Hack Club, detailed an unusual attack on GitHub.

Someone named Chloe called Latta from 650-203-0000 with the Caller ID “Google.” As explained by Google's support page, Google Assistant uses this number for automated calls, such as appointing bookings or checking restaurant wait times.

ADVERTISEMENT

“She sounded like a real engineer, the connection was super clear, and she had an American accent,” the developer said.

Scammers impersonating Google Workspace support warned that they blocked Latta’s account because someone logged in from Frankfurt and gained access to it.

Latta immediately suspected that this was a scam attempt. He asked for a confirmation by email.

To his surprise, hackers said yes and sent an email from a genuine subdomain, g.co, which belongs to Google. The email message, indistinguishable from the real one, contained no spoofing signs, and it passed DKIM, SPF, and DMARC (email authentication protocols that check against email spoofing and phishing attacks). Latta shared all the evidence in a post.

According to Google, g.co is an official URL shortcut that is “just for Google websites.”

“You can trust that it will always take you to a Google product or service,” the landing page for the domain reads.

Scammers explained that the account was probably compromised through a Chrome extension. They had fraudulent LinkedIn accounts prepared as proof that they worked at Google.

Ernestas Naprys Niamh Ancell BW Marcus Walsh profile Konstancija Gasaityte profile
Don’t miss our latest stories on Google News
ADVERTISEMENT

“Chloe” tried to trick the developer into taping one of the three numbers that popped up on his phone to “reset the account.” In reality, this action would have given scammers access to the account if performed.

The software engineer recorded the subsequent conversation when he was sure this was a phishing attempt.

“The thing that's crazy is that if I followed the two ‘best practices’ of verifying the phone number + getting them to send an email to you from a legit domain, I would have been compromised,” Latta warns.

Google has not yet publicly addressed this specific issue. Cybernews contacted Google for comment and is awaiting their response. Meanwhile, it’s unclear how spammers could have gained access to important Google features and subdomains.

Some speculate that attackers may have obtained Google account credentials, which allow them to access partial functions but require bypassing multi-factor authentication to overtake the account and gain persistent access.

In the meantime, users are advised to exercise caution when receiving suspicious calls or emails and report any suspicious activity to Google's security team.