> Be skeptical of unknown calls. If something feels off, hang up and restart the conversation by contacting the company directly.
I wonder sometimes how many scams I've avoided simply by pretty much never answering my phone when someone calls unless I'm expecting a call or it's someone I know.
> The attacker already had access to my Gmail, Drive, Photos — and my Google Authenticator codes, because Google had cloud-synced my codes.
I usually don't answer calls from numbers I don't recognise - but a couple of days back it was a scammer claiming to be from Amazon - said I had ordered an iPhone for £600 and was it a real order.
I was pretty suspicious but thought I would get them to authenticate their identity as someone really from Amazon by telling me the last thing I had really ordered was...
I must have stayed on the call for 20 minutes, eventually they ended up swearing at me - all the time I could hear other people in the same room trying the same lines on different people. I have no idea why I stayed on for so long....
The biggest red flag in all these stories is getting a call from a customer support person trying to help you.
When it seems like it’s impossible to get ahold of them in a real emergency.
It doesnt seem to be a red-flag. The caller was calling as an Attorney from Google General Counsel responding to an estate request. They followed up with a spoofed @google.com email with their name corroborating the call.
I've set my phone to not answer unknown callers (those not in my address list) and more importantly, I've done this for my parents as well and further instruct them as often as possible to not believe anything they get in email. With all of this, my mom still will reach out at least once or twice a year in a panic about some scam email she thinks is real.
Well easy to say, but if you are working in the real world, then unknown callers may be important - i.e. FedEx trying to push your package through the customs and if they can not contact you, your package goes either back or is destroyed.
If you have an iPhone, the latest iOS 26 will answer unknown numbers not in your address book for you and ask what they want and then alert you to see if you want to take the call.
They gained access to the Google account by stealing the verification code over the phone, but then they had easy access to other accounts (e.g. coinbase) because they had access to 2FA codes because Google authenticator was backed up to the users Google account.
The attacker had access to the Google account which includes passwords from Chrome and also the 2fa codes stored in Google Authenticator, because those were synced to Google without the author noticing it.
So with passwords and 2fa the attacker could login to Coinbase too.
I have a 1-2 second rule. I pick up I say hello, if someone doesn't respond in 1-2 seconds, I hang up.
They have the scammers working off phone queues, it takes a little bit of time to get the call to the scammer, who has to start off with a script, so there's a delay.
Remember, the scammer, also likely not a native english speaker, also probably bored out of their mind, has to spin up, they have to read the name, understand how to say it and then say it out loud. Their is a mental startup time that a normal conversation doesn't have.
If someone calls you and isn't ready to immediately respond to "hello" it's a scammer.
I try to avoid picking up and saying anything because it seems like an advertisement "yes, this number is not only active but a real person who answers random calls - try calling back (possibly from a different number) later".
As of late, I have one rule: Any unknown number I'm not expecting I let it go to voicemail, where I have a message along the lines of: leave your message and your number, and if it's important I'll call you back. The only time I pick up is when I am expecting, say, a delivery, or a doctor's call, etc, and in those cases I'm only expecting to hear about a delivery or a doctor's call, etc. Hoping that can filter and help on this front.
Thanks for sharing. I already had it in the back of my mind that this cloud sync thing in Google Authenticator was not very secure. I'm getting rid of it right now.
I do see why Google did it; it's going to be difficult to educate users to always set up 2FA both on a primary and a backup device. Much easier and convenient to automatically sync different devices. But your story makes it obvious that something isn't quite right here.
The load bearing question is, why didn't the attacker also clear out OP's bank account, retirement savings, and max out his credit cards? Unfortunately, the difference is that banks care literally at all about their customers accounts being emptied.
What I specifically mean by "care literally at all" : banks have a policy of reimbursing people who had their accounts emptied despite taking reasonable precautions. This creates sane, linear incentives: banks care 1000x more about a $100,000 fraud than a $100 fraud; they care 1000x more about a scam affecting 100 people than a scam affecting one person, etc.
Unrelated, but for added spice, here's a thread from ten months where everyone agrees you're a fool unless you secure your coinbase account with google authenticator
In my actual real world experience of digging my elderly mother out of $25,000+ of scam debt, banks do not care at all unless they can be shown to be at fault, and then they weigh the loss expense vs the likely legal expense.
This is one of the main reasons I don't like crypto. If you get hacked, even if you did everything right, then you're out of luck. The funds are (generally) unrecoverable.
With my bank, I've been able to recover several thousand after a thief was able to bypass the 2FA app used to verify large transfers. (I still don't know how they were able to bypass the verification, and after investigating our bank never told us. Not sure that makes me feel all warm and fuzzy, but at least I was made whole with minimal fuss.)
And transferring money from a bank or brokerage account takes time. Enough time that anyone paying attention should be able to report the transfer as fraudulent before it completes and have the account frozen.
Extending this further, based on the stated value it looks like he probably had 40 or 50 ethereum. He might have bought them for a fraction of today's price - say $50 - so might only be out $2500 based on cost at transaction time...
They probably sent it from gmail which would pass the SPF check (google.com and gmail.com have the same SPF).
They wouldn't have it signed to pass DKIM, but google doesn't use strict alignment checking so to pass DMARC either SPF or DKIM are acceptable.
> Wouldn't the Apple account reject it because it fails DKIM/etc?
Yeah, I would be curious to see the actual email headers of what was received.
As an aside, fun fact, this would not be possible with @apple.com because Apple employees have old-school S/MIME signatures as an additional security layer.
How did they get the passwords to his Google and Coinbase accounts? He reused passwords? The same one for Google as for Coinbase? Or did they reset his Coinbase password via his Gmail? The post doesn't make this explicit, but it warns against password reuse.
I believe they logged into coinbase with Google SSO. And then they used my Google Authenticator codes which were cloud synced as the second factor auth method.
A warning to auth engineers: if an account is using a Gmail address, then auth codes from Google Authenticator should not be considered a second factor.
This isn't something "auth engineers" can control, there's no magic Google Authenticator flag on a 2fa code - it's all HMAC and numbers, you don't know if the code came from Authy, Google Auth, a homebrew code generator, a dongle, etc.
But how did they get his Gmail password in the first place?
I'm not sure if I have the same password reset flow as OP, but when I try to reset my password and even provide the 2fa code, it basically doesn't let me get past a certain point without contacting my backup email address or making me use a phone which I'm logged in on to complete the reset
Always confirm such things by calling the official contact number that you already have and asking about the case. Do this before you discuss the matter further.
Never act based solely on an unsolicited telephone call or email.
The attacker had the passwords and 2fa codes from the Google account so Coinbase couldn't really distinguish them from the right person (tho presumably for large transfers they may require some extra checks, dunno)
The article is poorly written and not clear. It sounds like you're suggesting the author let Chrome save his Coinbase password and Google synced that to the attacker as well?
> Google had cloud-synced my codes.
> That was the master key. Within minutes, he was inside my Coinbase account.
Can someone please explain to me what it means for authenticator codes to be “cloud-synced”? Is that solely dependent on whether you’re using the Google Authenticator app while signed in to your Google Account? Is it possible to not have them “cloud-synced” if you are signed in?
Google Authenticator app defaults to backing up the TOTP secrets so if you log in on a new device you have them there. Pretty poor default for security, and you can disable it, but not the first time I've heard of this biting someone.
Which is why most apps with sync have two sets of credentials: one to login on the platform and one master password for encryption. That helps in those scenarios.
You mean to say that if it were enabled on my Google account, then the TOTP numbers for my other accounts are visible via authenticating into Google Account on some other unknown device? Sounds like it could be convenient if you lose your phone, but still risky if an attacker can sign into your Google Account.
Google Authenticator can be local-only or synced to the cloud.
In local-only mode, the authenticator is bound to a specific device. You can manually sync it to additional devices, but if you lose access to all those devices, it's game over, you will get locked out of whatever accounts you secured with authenticator as the second factor.
In cloud-synced mode, it's synced to your google account, so if you lose your phone, you can restore authenticator state. But if your google account gets taken over, it's game over, the attacker has your authentication codes.
I got scammed because somebody put a fake bank location into Google Maps and so the Google voice caller ID said it was my bank. Luckily, I realized I got scammed and called the bank up right away and they got the charges reversed, which is why I still use that bank. Moral of the story: never trust inbound calls. They are the easiest vector for scammers to spoof.
I never pick up calls from numbers that I don't know. If it's important they leave a message. And if I think it is important, I call them back through official phone numbers
Same exact scam happened to me three weeks ago and I almost fell for it. The guy was very sharp and sounded very authentic.
Ever since then I've been getting hundreds or thousands of Google notifications I've had to decline. Anyone know how people are able to send out hundreds of 2FA gmail notification popups without Google blocking this?
They still attack tech professionals living in California. Saying you have crypto will probably move you to the top of the list, but they'll still get to you eventually.
My brother (a tech professional in California) does not have any crypto or social media, and attackers still stole his phone number, which they used to steal his email account, which they then tried to get into a non-existent Coinbase account. He was only out of the time it took to get his phone number back (a couple of hours later).
It was not legit from legal, I had the same attack on me two weeks ago. They were pretending to be from Google General Counsel responding to an estate request to my Google account being handed to another party who was supposedly the inheritor.
What clued me in was that he said he couldnt share the estate documents with me until I gave him my popup 2FA code.
One thing I really hate is that some companies with poorly design customer service flows actually REQUIRE you to read a code they text you over the phone to a rep.
At least now more companies include a "never read this over the phone" note in their authentication texts.
OP said the coin base account was drained within “minutes”. Server thief bait can take up to 24h to notify you when someone takes the bait.
> We'll put a tiny amount of cryptocurrency in a wallet, but probably still enough to attract the attention of automated scripts. We notify you when it's taken within 24 hours.
> The attacker spoofed the “From” field so it looked like the emails came from @google.com — something Google’s filters should have blocked outright. On iOS, Gmail doesn’t let you view full headers, so I had no way to double-check in the moment.
Can somebody explain what exactly this means, and how it works?
Basically, the from field on an email can be anything you want. It's like sending physical mail and using a fake letterhead with someone else's info, just type what you want. No verification.
That's sometimes a good feature. Like, a third party provider can send newsletters on behalf of company A. But can also be bad, when used for phishing.
However, the email doesn't just appear in your mailbox. It comes to your email provider by another server connecting to it and sending the email. Spf allows the owner of A.com to specify which IPs/servers are actually acting on their behalf. So if I get an email from something@A.com, I can lookup and verify that the sending server is one to trust. If not, the email client should reject or warn the user somehow.
No clue how it works functionally these days. But it reminds me of tricks we pulled back in high school programming class. Our school was using Novell NetWare, and some students were given email addresses for various purposes. We discovered you could edit the From field, so it would display any text as your name and then your email address after it to the recipient on Novell's email client. If you added enough text, including whitespace, it would push the actual email address off screen(I don't remember if you could scroll to it or not).
We trolled each other in class with it a bit. But at one point some student not in our class sent out a mass email, which was against the rules. I replied with a From line as "Administrator" and a bunch of whitespace, telling the girl that she broke the rule and would be suspended for it. Our teacher made me apologize, and I was lucky that I didn't get into more trouble beyond that.
I'm pretty surprised gmail didn't flag this at least. When I did it for a class in Uni, it always let me know that the FROM header didn't match the sender since that's a clear attack vector
His phrasing is very confusing - claiming the "from" field was spoofed, but that if he could see the "full header", he could have spotted the spoofing.
I would also assume something as prominent as the Gmail website/app for iOS, and the google.com domain, would have all possible email security features correctly configured.
So.. is this not the case? Or is it, but due to bad UI, despite all this security, any schmoe can send email appearing to come from google.com, and I have to pore over unspecified details in the "full header" to spot a fake?
It's my understanding that emails have headers, just like http responses, and the app might have displayed that fake header instead of verifying the provenance of the email and displaying where it actually came from. So it is a UI/UX issue.
Why email clients have started hiding/not providing access to headers is beyond me. It seems like an anti-pattern. There have been many times recently where I've wanted to check the headers because an email was suspicious, only to find I couldn't.
One wrong point in this. Google Authenticator does not cloud sync by default. You specifically have to accept the cloud sync option that you are prompted with.
> Be skeptical of unknown calls. If something feels off, hang up and restart the conversation by contacting the company directly.
I wonder sometimes how many scams I've avoided simply by pretty much never answering my phone when someone calls unless I'm expecting a call or it's someone I know.
> The attacker already had access to my Gmail, Drive, Photos — and my Google Authenticator codes, because Google had cloud-synced my codes.
Ugh, google
I usually don't answer calls from numbers I don't recognise - but a couple of days back it was a scammer claiming to be from Amazon - said I had ordered an iPhone for £600 and was it a real order.
I was pretty suspicious but thought I would get them to authenticate their identity as someone really from Amazon by telling me the last thing I had really ordered was...
I must have stayed on the call for 20 minutes, eventually they ended up swearing at me - all the time I could hear other people in the same room trying the same lines on different people. I have no idea why I stayed on for so long....
Would (the actual) Amazon even agree to provide this kind of information over the phone to someone?
is talking to amazon on the phone at all even actually possible?
The biggest red flag in all these stories is getting a call from a customer support person trying to help you. When it seems like it’s impossible to get ahold of them in a real emergency.
It doesnt seem to be a red-flag. The caller was calling as an Attorney from Google General Counsel responding to an estate request. They followed up with a spoofed @google.com email with their name corroborating the call.
I've set my phone to not answer unknown callers (those not in my address list) and more importantly, I've done this for my parents as well and further instruct them as often as possible to not believe anything they get in email. With all of this, my mom still will reach out at least once or twice a year in a panic about some scam email she thinks is real.
Well easy to say, but if you are working in the real world, then unknown callers may be important - i.e. FedEx trying to push your package through the customs and if they can not contact you, your package goes either back or is destroyed.
If you have an iPhone, the latest iOS 26 will answer unknown numbers not in your address book for you and ask what they want and then alert you to see if you want to take the call.
I didn't quite understand this part. Attacked has access to Google accounts because Google had cloud-synced my codes? What does that mean?
They gained access to the Google account by stealing the verification code over the phone, but then they had easy access to other accounts (e.g. coinbase) because they had access to 2FA codes because Google authenticator was backed up to the users Google account.
Ah, makes sense. The victim was social engineered first.
The other way around.
The attacker had access to the Google account which includes passwords from Chrome and also the 2fa codes stored in Google Authenticator, because those were synced to Google without the author noticing it.
So with passwords and 2fa the attacker could login to Coinbase too.
I have a 1-2 second rule. I pick up I say hello, if someone doesn't respond in 1-2 seconds, I hang up.
They have the scammers working off phone queues, it takes a little bit of time to get the call to the scammer, who has to start off with a script, so there's a delay.
Remember, the scammer, also likely not a native english speaker, also probably bored out of their mind, has to spin up, they have to read the name, understand how to say it and then say it out loud. Their is a mental startup time that a normal conversation doesn't have.
If someone calls you and isn't ready to immediately respond to "hello" it's a scammer.
I try to avoid picking up and saying anything because it seems like an advertisement "yes, this number is not only active but a real person who answers random calls - try calling back (possibly from a different number) later".
As of late, I have one rule: Any unknown number I'm not expecting I let it go to voicemail, where I have a message along the lines of: leave your message and your number, and if it's important I'll call you back. The only time I pick up is when I am expecting, say, a delivery, or a doctor's call, etc, and in those cases I'm only expecting to hear about a delivery or a doctor's call, etc. Hoping that can filter and help on this front.
Thanks for sharing. I already had it in the back of my mind that this cloud sync thing in Google Authenticator was not very secure. I'm getting rid of it right now.
I do see why Google did it; it's going to be difficult to educate users to always set up 2FA both on a primary and a backup device. Much easier and convenient to automatically sync different devices. But your story makes it obvious that something isn't quite right here.
Authy has solved this though. The cloud sync is opt-in, and encrypted with a password. This makes it immensely more involved to compromise.
The load bearing question is, why didn't the attacker also clear out OP's bank account, retirement savings, and max out his credit cards? Unfortunately, the difference is that banks care literally at all about their customers accounts being emptied.
What I specifically mean by "care literally at all" : banks have a policy of reimbursing people who had their accounts emptied despite taking reasonable precautions. This creates sane, linear incentives: banks care 1000x more about a $100,000 fraud than a $100 fraud; they care 1000x more about a scam affecting 100 people than a scam affecting one person, etc.
Unrelated, but for added spice, here's a thread from ten months where everyone agrees you're a fool unless you secure your coinbase account with google authenticator
https://www.reddit.com/r/CoinBase/comments/1h65zuh/account_h...
In my actual real world experience of digging my elderly mother out of $25,000+ of scam debt, banks do not care at all unless they can be shown to be at fault, and then they weigh the loss expense vs the likely legal expense.
This is one of the main reasons I don't like crypto. If you get hacked, even if you did everything right, then you're out of luck. The funds are (generally) unrecoverable.
With my bank, I've been able to recover several thousand after a thief was able to bypass the 2FA app used to verify large transfers. (I still don't know how they were able to bypass the verification, and after investigating our bank never told us. Not sure that makes me feel all warm and fuzzy, but at least I was made whole with minimal fuss.)
And transferring money from a bank or brokerage account takes time. Enough time that anyone paying attention should be able to report the transfer as fraudulent before it completes and have the account frozen.
the banks don’t give two shits about it :)
The difference is that you have leverage to force the banks to care.
There isn't any federal regulation at all covering your Bitcoin.
Bitcoin exchanges like Coinbase are regulated by the CFTC in the US. This case is more of a Google problem though.
Fraud is fraud. There’s plenty of laws against it.
I notice none of the pieces of advice are "don't keep a hundred thousand dollars in a Coinbase account".
I split my crypto assets between Coinbase and what is now a corrupted hard-drive I've yet to recover.
Mistake cost him 80k. Author is feeling burnt, but the cost is the cost at transaction time.
Extending this further, based on the stated value it looks like he probably had 40 or 50 ethereum. He might have bought them for a fraction of today's price - say $50 - so might only be out $2500 based on cost at transaction time...
Incorrect. Author may not have had the required savings to rebuy the position he wanted.
Does anyone know how the email from (or appearing to be from) @google.com works? Wouldn't the Apple account reject it because it fails DKIM/etc?
Yeah, I don't understand how it passed DMARC and why it wasn't rejected immediately by his mail server (Apple Mail?).
From the article he uses gmail I think
They probably sent it from gmail which would pass the SPF check (google.com and gmail.com have the same SPF). They wouldn't have it signed to pass DKIM, but google doesn't use strict alignment checking so to pass DMARC either SPF or DKIM are acceptable.
> Wouldn't the Apple account reject it because it fails DKIM/etc?
Yeah, I would be curious to see the actual email headers of what was received.
As an aside, fun fact, this would not be possible with @apple.com because Apple employees have old-school S/MIME signatures as an additional security layer.
How Email Spoofing Exploits SPF and DMARC: A Cybersecurity Deep Dive.
https://undercodetesting.com/how-email-spoofing-exploits-spf...
I’ve heard scammers use Google tools like Google forms or Google cloud to send out fraudulent emails that appear like they come from Google.
The latest attempted scams I’m getting on my gmail account are fake postmaster bounces “from” google.com.
I use gmail and i was attacked almost identically and the email came thru to my gmail with a @google origin account
The key takeaway from this imo should be to not use Google Password Manager or a password manager without a secret key like 1Password.
How did they get the passwords to his Google and Coinbase accounts? He reused passwords? The same one for Google as for Coinbase? Or did they reset his Coinbase password via his Gmail? The post doesn't make this explicit, but it warns against password reuse.
I believe they logged into coinbase with Google SSO. And then they used my Google Authenticator codes which were cloud synced as the second factor auth method.
A warning to auth engineers: if an account is using a Gmail address, then auth codes from Google Authenticator should not be considered a second factor.
This isn't something "auth engineers" can control, there's no magic Google Authenticator flag on a 2fa code - it's all HMAC and numbers, you don't know if the code came from Authy, Google Auth, a homebrew code generator, a dongle, etc.
Google/Chrome Password Manager?
But how did they get his Gmail password in the first place?
I'm not sure if I have the same password reset flow as OP, but when I try to reset my password and even provide the 2fa code, it basically doesn't let me get past a certain point without contacting my backup email address or making me use a phone which I'm logged in on to complete the reset
> Google enabled Authenticator cloud sync by default.
Never understood this convenience and never will. This is exactly the wrong way to deal with people losing their authenticator secrets.
Always confirm such things by calling the official contact number that you already have and asking about the case. Do this before you discuss the matter further.
Never act based solely on an unsolicited telephone call or email.
If someone calls and claims to be from an big tech company, its is always a scam and you are going to loose money.
Coinbase STILL doesn't freeze user accounts for a token amount of time, 24 hours or so, after resetting a password‽
Part of the blame should be levied on Coinbase if this is the case.
(I'm assuming this guy at least uses unique passwords...)
The attacker had the passwords and 2fa codes from the Google account so Coinbase couldn't really distinguish them from the right person (tho presumably for large transfers they may require some extra checks, dunno)
The article is poorly written and not clear. It sounds like you're suggesting the author let Chrome save his Coinbase password and Google synced that to the attacker as well?
> Google had cloud-synced my codes.
> That was the master key. Within minutes, he was inside my Coinbase account.
The author wrote "codes", not "passwords".
Can someone please explain to me what it means for authenticator codes to be “cloud-synced”? Is that solely dependent on whether you’re using the Google Authenticator app while signed in to your Google Account? Is it possible to not have them “cloud-synced” if you are signed in?
Google Authenticator app defaults to backing up the TOTP secrets so if you log in on a new device you have them there. Pretty poor default for security, and you can disable it, but not the first time I've heard of this biting someone.
The risk of not syncing — when you lose/reset your phone, so does your OTP app. If you don't have backup codes saved, you're cooked.
> The risk of not syncing — when you lose/reset your phone, so does your OTP app. If you don't have backup codes saved, you're cooked.
Most clued-up places enable you to register a Yubikey as 2FA.
So then it doesn't matter if you loose your OTP app and your backup codes because you've still got a Yubikey.
(And those that don't allow Yubikey, almost certainly will have SMS as a secondary option).
Which is why most apps with sync have two sets of credentials: one to login on the platform and one master password for encryption. That helps in those scenarios.
Yes. There are other ways of syncing (I have images of the setup QR codes save in an encrypted file) but most people wouldn’t be able to manage this.
You mean to say that if it were enabled on my Google account, then the TOTP numbers for my other accounts are visible via authenticating into Google Account on some other unknown device? Sounds like it could be convenient if you lose your phone, but still risky if an attacker can sign into your Google Account.
https://security.googleblog.com/2023/04/google-authenticator...
Google Authenticator can be local-only or synced to the cloud.
In local-only mode, the authenticator is bound to a specific device. You can manually sync it to additional devices, but if you lose access to all those devices, it's game over, you will get locked out of whatever accounts you secured with authenticator as the second factor.
In cloud-synced mode, it's synced to your google account, so if you lose your phone, you can restore authenticator state. But if your google account gets taken over, it's game over, the attacker has your authentication codes.
I got scammed because somebody put a fake bank location into Google Maps and so the Google voice caller ID said it was my bank. Luckily, I realized I got scammed and called the bank up right away and they got the charges reversed, which is why I still use that bank. Moral of the story: never trust inbound calls. They are the easiest vector for scammers to spoof.
i always tell my mom that no legitimate business would ever call, email, or send a letter about anything.
I never pick up calls from numbers that I don't know. If it's important they leave a message. And if I think it is important, I call them back through official phone numbers
Same exact scam happened to me three weeks ago and I almost fell for it. The guy was very sharp and sounded very authentic.
Ever since then I've been getting hundreds or thousands of Google notifications I've had to decline. Anyone know how people are able to send out hundreds of 2FA gmail notification popups without Google blocking this?
I get scam calls with Google in the caller ID everyday.
It kinda sucks that in 2025, voice calls are now near-zero trust.
Is there really no velocity behind any open/consortium replacement to traditional voice calls?
oof that sucks. Luckily I'll never answer the phone
> Luckily I'll never answer the phone
One of the best features of Apple iOS 26 is the new call-screening feature[1].
[1] https://support.apple.com/en-gb/guide/iphone/iphe4b3f7823/io...
Pixel Call Screen has been a godsend for me since its debut, akin to using uBlock Origin for browsing.
As soon as I read the headline, I knew that the problem was...
> In just 40 minutes, the attacker shuffled my staked ETH and other tokens through multiple transactions, then drained the account.
One of the many, many benefits of irreversible transactions.
> I made mistakes, yes
His first mistake was keeping six figures worth of 'cash' in a wallet that anyone with less than 40 minutes of access to can swipe.
Also if you have crypto you should never mention anywhere that you do. No forums, social media, etc.
They still attack tech professionals living in California. Saying you have crypto will probably move you to the top of the list, but they'll still get to you eventually.
My brother (a tech professional in California) does not have any crypto or social media, and attackers still stole his phone number, which they used to steal his email account, which they then tried to get into a non-existent Coinbase account. He was only out of the time it took to get his phone number back (a couple of hours later).
i regularly check reddit scams to know about the scams and i recently dodged one which wanted my details !
What did the account did the email actually come from? Was it legit from legal and he just submitted the request or was it a real spoofing
It was not legit from legal, I had the same attack on me two weeks ago. They were pretending to be from Google General Counsel responding to an estate request to my Google account being handed to another party who was supposedly the inheritor.
What clued me in was that he said he couldnt share the estate documents with me until I gave him my popup 2FA code.
One thing I really hate is that some companies with poorly design customer service flows actually REQUIRE you to read a code they text you over the phone to a rep.
At least now more companies include a "never read this over the phone" note in their authentication texts.
This would probably have helped:
https://serverthiefbait.com/
No it wouldn’t have.
OP said the coin base account was drained within “minutes”. Server thief bait can take up to 24h to notify you when someone takes the bait.
> We'll put a tiny amount of cryptocurrency in a wallet, but probably still enough to attract the attention of automated scripts. We notify you when it's taken within 24 hours.
> The attacker spoofed the “From” field so it looked like the emails came from @google.com — something Google’s filters should have blocked outright. On iOS, Gmail doesn’t let you view full headers, so I had no way to double-check in the moment.
Can somebody explain what exactly this means, and how it works?
Dmarc/spf https://en.m.wikipedia.org/wiki/DMARC
Basically, the from field on an email can be anything you want. It's like sending physical mail and using a fake letterhead with someone else's info, just type what you want. No verification.
That's sometimes a good feature. Like, a third party provider can send newsletters on behalf of company A. But can also be bad, when used for phishing.
However, the email doesn't just appear in your mailbox. It comes to your email provider by another server connecting to it and sending the email. Spf allows the owner of A.com to specify which IPs/servers are actually acting on their behalf. So if I get an email from something@A.com, I can lookup and verify that the sending server is one to trust. If not, the email client should reject or warn the user somehow.
DMARC does check the from field in the mail, so I don't know how could this happen
No clue how it works functionally these days. But it reminds me of tricks we pulled back in high school programming class. Our school was using Novell NetWare, and some students were given email addresses for various purposes. We discovered you could edit the From field, so it would display any text as your name and then your email address after it to the recipient on Novell's email client. If you added enough text, including whitespace, it would push the actual email address off screen(I don't remember if you could scroll to it or not).
We trolled each other in class with it a bit. But at one point some student not in our class sent out a mass email, which was against the rules. I replied with a From line as "Administrator" and a bunch of whitespace, telling the girl that she broke the rule and would be suspended for it. Our teacher made me apologize, and I was lucky that I didn't get into more trouble beyond that.
Assuming I follow what you want to know, the wikipedia page on email spoofing should provide the info you desire. https://en.m.wikipedia.org/wiki/Email_spoofing
I'm pretty surprised gmail didn't flag this at least. When I did it for a class in Uni, it always let me know that the FROM header didn't match the sender since that's a clear attack vector
His phrasing is very confusing - claiming the "from" field was spoofed, but that if he could see the "full header", he could have spotted the spoofing.
I would also assume something as prominent as the Gmail website/app for iOS, and the google.com domain, would have all possible email security features correctly configured.
So.. is this not the case? Or is it, but due to bad UI, despite all this security, any schmoe can send email appearing to come from google.com, and I have to pore over unspecified details in the "full header" to spot a fake?
It's my understanding that emails have headers, just like http responses, and the app might have displayed that fake header instead of verifying the provenance of the email and displaying where it actually came from. So it is a UI/UX issue.
Why email clients have started hiding/not providing access to headers is beyond me. It seems like an anti-pattern. There have been many times recently where I've wanted to check the headers because an email was suspicious, only to find I couldn't.
Zak just posted this eye opening behind the scenes look at what these scammers are doing...
https://x.com/0xzak/status/1967592307714379934
Wow - that is really interesting, to hear the hacker's voice, the absence of guilt, the thinking of "it's a game to steal".
A Horrific threat.
Is there a service that can “de-twitter” links like this?
[dead]
[dead]
One wrong point in this. Google Authenticator does not cloud sync by default. You specifically have to accept the cloud sync option that you are prompted with.