Today's story features interviews with two recent cryptocurrency heist victims (one who lost > $4.5M) who were hit by the same scammers.
-
Today's story features interviews with two recent cryptocurrency heist victims (one who lost > $4.5M) who were hit by the same scammers. The fraudsters used:
-Google Assistant to automate outgoing calls to victims warning of a security incident with their account, and to press 1 to speak to a rep;
-An email from google.com warning about an email hacking incident, including the name and phone number of the Google rep who will be calling. The alerts were sent via Google Forms, which makes them come from google.com.
-Victims were convinced someone had taken over their accounts when they received an alert pop up on their mobile from Google, asking if they were trying to recover access to their account. By this time, the victims were convinced they were talking with Google, and clicked "yes, it's me" trying to recover access:
How to Lose a Fortune with Just One Bad Click
Adam Griffin is still in disbelief over how quickly he was robbed of nearly $500,000 in cryptocurrencies. A scammer called using a real Google phone number to warn his Gmail account was being hacked, sent email security alerts directly from google.com, and ultimately seized control over the account by convincing him to click “yes” to a Google prompt on his mobile device.
-
R [email protected] shared this topic
-
@briankrebs "one bad click"
2) "years ago he used Google Photos to store an image of the secret seed phrase that was protecting his cryptocurrency wallet"
3) "Google Authenticator by default also makes the same codes available in one’s Google account online"
next person:
4) "I put my seed phrase into a phishing site"
This is not a post about people being dumb, on the contrary. It's too easy to put trust into the wrong apps/web sites - and that's where the real issue lies.
The lesson should be: Your data is not safe in the cloud. Stop putting pictures, codes and security backups there.
-
@troed Yeah. There certainly are a lot of cases where we as security people say, oh, that's silly, or they should have known better. And it's true that Google never called anyone, and they really don't. That said, what I tend to find in these sad stories is that people make a series of decisions or assumptions that they never revisit.
-
"Tony told KrebsOnSecurity that in the weeks following the theft of his 45 bitcoins, he became so consumed with rage and shame that he was seriously contemplating suicide. Then one day, while scouring the Internet for signs that others may have been phished by Daniel, he encountered Griffin posting on Reddit about the phone number involved in his recent bitcoin theft.
Griffin said the two of them were initially suspicious of each other — exchanging cautious messages for about a week — but he decided Tony was telling the truth after contacting the FBI agent that Tony said was working his case. Comparing notes, they discovered the fake Google security alerts they received just prior to their individual bitcoin thefts referenced the same phony “Google Support Case ID” number."
-
@briankrebs "In reality, the thieves caused the alert to appear on his phone merely by stepping through Google’s account recovery process for Griffin’s Gmail address." Does this mean they had his password or auth code? Recovery notification couldn't be sent otherwise.
-
@obivan I don't believe so. If you have a Google account, you can test this on your own by going to a computer that has never logged into your account before, and try to recover access to your account. You can get it to send you one of these prompts.
-
So much silliness because someone was too cheap to spend $50 on a proper fido2 hardware key. (I like the yubi, but there are other options)
Word to the wise: your cellular phone is a horrible MFA factor. Just horrible. If someone wants you to use your cell for MFA - add a heaping helping of mistrust there, because it means they don't listen to (or maybe have) security folks.
-
@briankrebs thanks for clarification! I tried to replicate this beforehand, but in my case it asks for password, phone number, auth or recovery code. If it works without any of these then it's highly disturbing.
-
B [email protected] shared this topic
