What I'm most curious about is how they were able to spoof the email being sent from `workspace-noreply@google.com`. Given the odd phrasing of 'password for important.g.co', perhaps this is some strategy involving creating a 'parallel' account with the same email and making use of it to send an official-looking email as part of the scam?
Most likely they did something like sign up for "important.g.co" in Workspace, then added the target as a user, then reset that user's password, causing Google to send a real, verified, from-Google message.
They can't control the contents of the message, but they used the gmail "+" feature to cram the "case ID" onto the target email they created the Workspace account for, making that seem real.
But how did they MITM the verification code? Was the first two presented to the attacker, and the rest was presented to the email? Or were they able to MITM the whole email/code and just shared the first two to gain trust?
This sounds like they were using the "tap a button on your device" 2FA method (see https://support.google.com/accounts/answer/7026266). Not sure of the details as to how they got to that page in the first place, though the docs say that you can potentially use it to recover your account.
Never trust an incoming call, especially if it's talking about authentication problems you didn't know you had.
Googler, opinions my own (and I'm not an expert in this particular space).
When you use a device to do 2FA, Google will display one code on the logging in device screen and three on the 2FA screen. This is so that the user doesn't just blindly hit accept on the Gmail/YouTube app that hosts the 2FA prompt.
A one in three risk of hitting the wrong button still seems insanely high to me. Why is this 2FA method deployed instead of things like "enter the code here"?
(I know it wouldn't necessarily have stopped this phishing attempt.)
It should be much less than one in three, because the user doesn't get conditioned to "just tap one of the numbers and it goes away". The way to consistently dismiss the interruption is to tap the fourth button labelled something like "what, no, that wasn't me".
Yeah, good point. But I still think it's too much risk to place on a potential errant click.
(I have to admit I haven't used the UI in question, and I can't find a screenshot of it on Google Images. Maybe this is a lot safer than I'm imagining.)
I had it just today, it's slightly worse than I was remembering! The "Cancel" button is way less prominent.
Still, remember this is MFA - at least I'm pretty sure you can't have this as the only way to access your account. An attacker typically needs your password plus you to misclick here.
Unclear why. You have to hit a prompt that says "Yes, this was me" and then pick a button. The approach airplay takes to pair: type in 6 digit code. That seems better to me.
