Conversation

Notices

1. Embed this notice
   BrianKrebs (briankrebs@infosec.exchange)'s status on Wednesday, 18-Dec-2024 22:30:46 JST BrianKrebs

   Today's story features interviews with two recent cryptocurrency heist victims (one who lost > $4.5M) who were hit by the same scammers. The fraudsters used:

   -Google Assistant to automate outgoing calls to victims warning of a security incident with their account, and to press 1 to speak to a rep;

   -An email from google.com warning about an email hacking incident, including the name and phone number of the Google rep who will be calling. The alerts were sent via Google Forms, which makes them come from google.com.

   -Victims were convinced someone had taken over their accounts when they received an alert pop up on their mobile from Google, asking if they were trying to recover access to their account. By this time, the victims were convinced they were talking with Google, and clicked "yes, it's me" trying to recover access:

   How to Lose a Fortune with Just One Bad Click

   Adam Griffin is still in disbelief over how quickly he was robbed of nearly $500,000 in cryptocurrencies. A scammer called using a real Google phone number to warn his Gmail account was being hacked, sent email security alerts directly from google.com, and ultimately seized control over the account by convincing him to click “yes” to a Google prompt on his mobile device.

   https://krebsonsecurity.com/2024/12/how-to-lose-a-fortune-with-just-one-bad-click/

   • Mr. Bill repeated this.
   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Thursday, 19-Dec-2024 01:18:11 JST Rich Felker

     in reply to

     • jzakotnik

     @jzakotnik @briankrebs Clicking yes to prompt on mobile is complete non-starter. Even allowing that kind of "2FA" (bad 1FA) to exist is a non starter. With a deGoogled device it's not a thing.

   • Embed this notice
     jzakotnik (jzakotnik@mastodon.social)'s status on Thursday, 19-Dec-2024 01:18:12 JST jzakotnik

     in reply to

     @briankrebs I would have stopped the process at the point where a "google rep" is supposed to call me. I can't imagine that google employs people who call users. This is not very plausible.

   • Embed this notice
     BrianKrebs (briankrebs@infosec.exchange)'s status on Thursday, 19-Dec-2024 03:30:50 JST BrianKrebs

     in reply to

     "Tony told KrebsOnSecurity that in the weeks following the theft of his 45 bitcoins, he became so consumed with rage and shame that he was seriously contemplating suicide. Then one day, while scouring the Internet for signs that others may have been phished by Daniel, he encountered Griffin posting on Reddit about the phone number involved in his recent bitcoin theft.

     Griffin said the two of them were initially suspicious of each other — exchanging cautious messages for about a week — but he decided Tony was telling the truth after contacting the FBI agent that Tony said was working his case. Comparing notes, they discovered the fake Google security alerts they received just prior to their individual bitcoin thefts referenced the same phony “Google Support Case ID” number."