Sophisticated Google Phishing Attack Exploits Official g.co Domain
A sophisticated phishing attack targeting Google accounts has been uncovered. The attackers exploited Google’s official URL shortcut, g.co, to deceive their victims. Notably, this attack nearly outsmarted even technically savvy users. Through a multi-layered approach, the perpetrators were able to purposefully abuse trust in Google's brand and infrastructure.
The attacker, posing as a Google engineer named “Chloe,” contacted the victim through a spoofed phone call, with the caller ID manipulated to appear as “Google.” During the conversation, they claimed that the victim’s account had been compromised from Frankfurt, Germany, and allegedly offered assistance in securing the account. To bolster their credibility, the attacker sent an email that appeared to originate from a legitimate Google domain: important.g.co. This contained a case number and detailed instructions. The use of the official Google URL g.co further enhanced the illusion of authenticity, making it difficult to recognize the message as fraudulent.
It appears that a vulnerability in Google Workspace was exploited, allowing the creation of a new Workspace account with any g.co subdomain and enabling email sending without prior verification of the subdomain.
important.g.co - looks deceptively realThe attacker provided a phone number that was actually listed on Google’s official support page, further enhancing the appearance of legitimacy. However, inconsistencies arose during the conversation, such as conflicting instructions for callbacks and questionable explanations regarding account security. Ultimately, the attacker attempted to gain access by sending the victim a reset code to their device. Had this been entered, the attacker would have obtained full control over the account.
The victim, growing increasingly skeptical, recorded the call and identified additional warning signs. These included a fake two-factor authentication SMS and a suspicious LinkedIn profile that could not confirm the attacker’s alleged identity. Despite adhering to best security practices, such as verifying the phone number and analyzing the email domain, the victim narrowly escaped the scam.
This incident highlights the alarming sophistication of modern phishing attacks. By abusing trusted domains and skillfully applying social-psychological tactics, scammers can trick even the most cautious and technically versile users.
A detailed description of this phishing attack has been published on GitHub.