It's defunct now, but at the time it was a 1:1 replica of Coinbase. And the only reason I noticed was because 1Password didn't offer to fill in my credentials.

While knowing someone's email/password combo might not be enough for an attacker to do anything malicious on Coinbase itself (due to email re-verification maybe), the point is that even the smartest of us Hacker News users can fall for it. And that should scare the rest of us.

Don't trust incoming calls, text messages or emails.

Don't trust caller ID on your phone.

If someone calls you asking for information or to do something, ask for a case id or reference number. Hang up, call back on a number you get from a previous bill, back of your credit card, or by googling the company.

If anyone is pushing for something to be done urgently, stop. Hang up, don't take any action. Call a trusted other person and talk to them about it.

> Don't trust caller ID on your phone.

And if you're anyone of moderate fame, importance or cryptocurrency holdings, call back using a phone other than the one you received the call from. SS7 attacks remain relatively cheap , and redirecting an outgoing phone call placed to a phone number they know you're likely to call next is within the realm of feasible attacks.

And remember it's going to be the 4th or 5th link down, not the first.

I recently saved a friend from getting scammed when she wanted to buy an audiobook, we wanted to avoid Audible because of the DRM and limited device selection.

The first few results she got were some shady services offering really good deals. I looked them up on trustpilot and they weren't outright scams, but they aggressively pushed you into getting an expensive monthly subscription that was basically impossible to cancel.

Now, many of my search results suck due to SEO and whatnot, but that’s a different story.

This is honestly the #1 piece of advice to give friends and family.

Almost every scam is predicated on urgency.

I generally refuse to give any number if I can help it. I can count on one hand the number of unsolicited calls/texts I've gotten.

How often does a rocket scientist deal with computer viruses, or phishing emails, etc compared to a security expert? Most of the time, their IT security expert (ideally) stops it before it gets to them..

Engineering the thing to not rip itself apart, melt, or explode is the hard part.

One of my friends is a nuclear physicist from TU Delft and they somehow managed to install a fake clone of Chrome haha. Somehow never got their accounts broken into or money stolen.

This is one of the reasons scammers like to target doctors.

Now if 1Password shows nothing to auto-fill I make damn sure I'm on the right site.

Nice, I always hope this will save me but I never landed on such a phishing site. How did it happen for you?

About domain-based autofills, perhaps less so now than 5-10 years ago: it always seemed weird that the whole security industry seemed to say these plugins, or the browser's built-in password store, are dangerous because there were past vulnerabilities and any website you visit can exploit it. The way I see it: vulns get fixed, I just need to not be in the 1st wave of persons they target (risk type: plane crash, very small odds but sucks to be you); receiving phishing emails or messages happens constantly and apparently it works well enough to continue doing it and evading filters constantly (risk type: car crash, can happen and they get only the creds for the website being autofilled). Would recommend to anyone who then realises something is up when the autofill doesn't work, but ideally would have more evidence to back that up

Just copy one of Coinbase's legit emails for something like "A withdrawal of $1,200 USD has been started" and you have the perfect bait.

Well, ok then.

But you didn't fall for it, a simple password manager technique worked as advertised?

There’s indeed a lot of them :)

You might want to install some browser extensions to block content. Then block all content (set to whitelist) and selectively add the sites you know.

If you end up on a new site with some amalgamation of letters that look familiar, the extension will rightfully block it and prompt you whether you want to whitelist or not. Big ole' red flag right there.

Of course it's not foolproof. It is just another layer in the strategy of defense-in-depth.

It has saved me a few times where some rogue javascript tries to redirect me to some unexpected site, and the destination site simply doesn't load.

Combining that with Multi-account container should make it easier to manage ?

I just want every new machine to have my extension settings, but then it's four hours later and I'm trying to check if some policy file was obsoleted in version 60

Such a time sink

Google in particular is famous for making it impossible to contact a human. If Google calls you, before picking up, consider whether you truly believe you're lucky enough to be one of a handful of people in the world to ever get human support from them.

If you ever get a cold call from "Google Support", it's basically guaranteed to be a scam.

Very occasionally you might be making some poor customer support person's job harder, but the vast majority of the time you'll be hanging up on a scammer. You can be polite about it, but firm and brief. "It's my policy to always call back no matter what, nothing personal."

But I do agree with you. They can leave a message and a way to contact back if its important and I can take my time doing research. The urgency part is what's caught so many high profile people off guard.

You don't have to pretend to be confused.

The industry of Indian scam call centers is not a crazy conspiracy invented by racists.

Nor was the industry of Indian legitimate call centers.

You cannot glean any useful signal of legitimacy from the caller's accent.

That's the WTF.

It’s not an indicator.

The accent of the caller is not a useful signal.

The very fact that they called you is a pretty good indication that you do not want to talk to them. 99% strength.

Low-margin businesses will hire low-cost support on whatever continent it's available.

Doesn't matter how familiar their accent sounds.

They are not calling for your benefit.

No need to get xenophobic about it.

High-margin businesses usually have passable or good support. If your vendor of choice does not, you have chosen the wrong vendor and should switch. There are other options that do a better job.

If they are in my contacts I will recognise their voice.

[1]: https://news.ycombinator.com/item?id=42450221

> Hack Clubbers have determined that this is almost definitely a bug in Google Workspace where you can create a new Workspace with any g.co subdomain and get it to send some emails without verifying that you own the domain.

Seems like this is the flow:

1. Create a Google Workspace with a g.co subdomain. Apparently this is not verified, or verifying the domain is not necessary for the next steps.

2. Create an account for the victim under this Google Workspace.

3. Reset that account's password.

The victim gets an email from Google Workspace informing them that their password was reset. And this email is a real, legitimate (not spoofed) email from Google because it's just a result of the normal password reset process for a Google Workspace account.

How about a law with teeth?

We allowed email to be the wild west for years and I'm not sure it's better than telephony now

It's definitely a glitch where you can send emails/transactional emails from an unverified Google Workspace. My guess is that their are protections for google.com and google domains but they forgot to add the g.co domain, which allows unverified sending to g.co and creation of workspaces.

I always verify that I'm actually fucked and then take action. This seems counter-intuitive but the deluge of phishing emails makes me feel this is the safest option. I'd rather wait to notice a fraudulent charge and dispute it, than leak info to a random SMS number that claims (possibly truthfully) that someone in Japan spent $9000 at the gucci store.

Caller ID being spoofed is the wrong way to think about this. It's just that if someone walks up to you and says "Hey, I'm Jean d'Eau and I'm President of the US" you don't think to yourself "oh yeah he's definitely President and that's his name".

People can always tell you they're whoever they want to be. You can either believe it or go find out if they are.

> The thing that's crazy is that if I followed the 2 "best practices" of verifying the phone number + getting them to send an email to you from a legit domain, I would have been compromised.

He didn't follow the first of those best practices. He just looked up a phone number that the caller also read out to him, and didn't call it. And "Solomon" also explicitly told him he couldn't call.

I honestly think that at this point, no incoming phone call can ever be trusted.

The phone number best practice has always been constructed as "call them back at a known good number, preferably one written on paper or on your card". You certainly don't ask them to show you where on the company website the phone number is listed.

And asking the person on the phone with you to send you an email from a specific domain is likewise not something I've ever seen recommended: that's one of several things you check to see if an email is phishing (And only one of several! A good domain isn't enough to clear an email!) But if you're already on the phone with someone suspicious, the best practice has always been to get off the phone with them immediately and call a known number, not to ask the caller to prove themselves.

None of this is to blame OP for misunderstanding, it's just very clear that we need to do better at communicating these rules out to the world.

But you're right: simply say "given that this is a sensitive security matter, thank you for the heads up. Don't call me, I'll call you (click)"

I'm sorry I'm going to have to call you, instead of you calling me

Of course, the company phone number is right in the footer of the website.

-- goes to open website from last email sent from company, goes to colnbase.com.

They can't. And they haven't been for a while. Spoofing phone calls is simply too easy, and nothing is being done to fix that, despite the fact that it puts so many of us at risk. It's not an insurmountable problem, technologically. It is literally a lack of will and outcry from ordinary people, despite how often this fact is used to abuse so many.

Credit Card companies have known this for a long time. My credit card company will call and say "do not call back to this number, call the number on the back of your card and use this reference number".

That should absolutely be the norm at this point.

https://en.wikipedia.org/wiki/STIR/SHAKEN#STIR

It's not all the way there, I guess.

This is where a big mistake is. Always, ALWAYS phone or contact back using the company’s official channels. Because if they have sufficient info about you, scammers can make a call sound hella legitimate, but one thing they still cannot do is pick up the company’s phone for them when you phone in. Especially if you call from a hardline, which requires compromising the phone company’s switching equipment.

Even my father, nearly 86 with a 5th grade education and slowly sliding into dementia, knows better than to uncritically accept being directly contacted. He’s already short-circuited several scams (of various types) in the last few years by hanging up and phoning back in himself.

I forget the details, but most of the country was wired in a manner that both parties of a call had to hang up to end the connection.

You might hang up, go find the official phone number, but when you pick the phone off the cradle you would still be in the previous call. They could fake the dial tone and you would be none the wiser.

I remember pranking friends with this back when I was young. Harmless stuff.

This was useful if they called you and you answered in the kitchen, but wanted to run to another room to talk. Not that I think it was designed to be a feature! But I used it that way.

If you didn't trust the caller, you could hang up, wait 10 seconds, then get a good clean real dial tone. Remember dial tones?

Anyway none of this is relevant in modern switching systems, much less cellular networks.

More likely population density/growth in the region. Most of the US was all Bell System at the time.

If the area was urban, or growing quickly (adding new phone subscribers), they'd get the newer electronic (ESS) switches first, starting around the early 1970s.

If the area was suburban and population-stable, the electromechanical crossbar switches would live on for another 20+ years.

There were some rural parts of the US using even older Strowger/SxS switches until the mid 1980s at least, probably later!

There's a great story about the development, by a Mr. Strowger, of the first electromechanical telephone exchange switch. Previously, calls were connected manually, by operators. Mr. Strowger was an undertaker, and he believed that the operators were sending callers to his competition unfairly. So he invented an automatic switch to remove the human element.

I’ve heard this one before. Wasn’t the wife of one of his competitors actually the operator in question?

Sorry, correcting myself:

If the initiator of the call hung up, the call would be ended immediately.

If only the receiver hung up, the call would remain "live" and resumable for about 8 seconds.

I have no idea where I'd find one of those.

The problem, and the reason why that scam approach works half the time, is that calling back is a huge PITA these days between 1) endless routing menus or some "smart" AI bot that is f*ing useless (seriously, I have never been helped to my satisfaction by one of those), 2) long long long hold times to get to a human, if you ever do, because every single company is always "expecting greater than usual call volumes" -- wtf? call volume distributions are Gaussian, ok? so adjust accordingly.

In reality the number your phone carrier provides is basically a guess. It does in no way guarantee who is calling you.

They can't control the contents of the message, but they used the gmail "+" feature to cram the "case ID" onto the target email they created the Workspace account for, making that seem real.

Never trust an incoming call, especially if it's talking about authentication problems you didn't know you had.

Googler, opinions my own (and I'm not an expert in this particular space).

(I know it wouldn't necessarily have stopped this phishing attempt.)

(I have to admit I haven't used the UI in question, and I can't find a screenshot of it on Google Images. Maybe this is a lot safer than I'm imagining.)

Still, remember this is MFA - at least I'm pretty sure you can't have this as the only way to access your account. An attacker typically needs your password plus you to misclick here.

https://www.reddit.com/r/googleworkspace/s/NtJpputXtg

There was something in Google workspace that allowed the scanners to have an email sent to them, AND an additional and of their choice. But when I asked about calling them back, I was told that wasn't possible, which made me suspicious.

-> There is a sophisticated one where you can take over an account via the Account Recovery flow, that is still actively abused; tried to report, got "not a bug, triaging as abuse risk"

So, com.example.shop@example.org for https://shop.example.com account(s). I've recently switched to a randomized username part, as bitwarden supports this well.

This has saved me numerous times from scams². Because scammers would email me on the wrong address. Either they'd mail me on an adress listed on my website, when the actual company would've mailed on the unique address I gave them (more targeted phishing). Or they'll mail me on an address that I know to be leaked (these are redirected to spam in filters).

I am convinced there's an actual solution to a lot of scamming here, if the UX and UI are carefully designed. To be used by "muggles", not just the crowd that knows things like filters and catch-alls and plus-appended etc. It's a pity Google, Microsoft or even proton aren't actively promoting such a "unique mail for every service". But I guess there's little in it for them.

¹ used to self host, but now that's near impossible with the monopolies on mailserves at big tech and moved to mailbox.org. big shoutout!

² aside from the other great benefit. I'm often one of the first to know some service or site was compromised by receiving scam, spam etc. A few times I was even the one to report a breach to such an org via this.

The good part is the that aliases are inconspicuous @icloud.com email addresses that don't follow a specific pattern and are thus:

1) Accepted everywhere (contrary to custom domains — which I also have).

2) Are pretty much impossible to detect ahead of time.

————

For illustrative purposes I just clicked several times on the generate new Hide My Email button and it returned those:

  pie.tall9x@icloud.com
  
  drivels_eras4x@icloud.com
  
  showier.sizzle-7y@icloud.com

I actually have a domain I setup with Fastmail just for burner addresses, but Apple offers enough additional functionality (easier to use, tracks the site I created it for and when) that I keep using Apple's offering.

Starting at 1:58 here: https://cloud-3s03ljpcy-hack-club-bot.vercel.app/0call_recor...

Emphasis mine.

Also, if a human called me and claimed to be working for Google, I would laugh heartily and hang up the phone. Google doesn’t even have call in tech support, why would they call you for something as banal as a compromised account?

A non tech person wouldn't know Google has bad support and is unlikely to call you, that a number and email can be spoofed, etc. And even if 99% didn't fall for it, just 100 calls gets the scammer a victim on average.

Nope. Rule #1 in today's environment is never pick up the phone. If you're not expecting the call they can leave a message. And if it's something you think is legitimate, get the authentic number from a reputable source.

The best practice I live by is always call them back yourself. Looking up the phone number is not the same.

The goal isn't to protect against phishing or social engineering, but against people accidentally approving a sign-in they didn't initiate.

There's a screenshot of what this looks like here: https://gist.github.com/zachlatta/f86317493654b550c689dc6509...

https://support.google.com/business/answer/6212928?hl=en

Disappointingly, it only says how to identify automated calls from Google, it doesn't offer a protocol for verifying actual humans from Google calling you. Perhaps it happens so rarely you can just assume it's not Google.

Now to be fair they all end up in the spam folder, but these are emails sent from noreply@appsheet.com (SPF passing and originating from a Google IP), albeit with a phishing FROM name like "Meta for Business". I have hundreds of these in my spam folder, telling me that my Meta campaigns (I don't have any Meta campaigns and don't interact with that business at all) have been suspended, etc, clearly hoping to takeover someone's Meta business account.

Like when Google's Calendar invites were massively used for spam, I just don't understand how that company rolls out services and doesn't foresee the malusage.