Mastodawn

The Aftershow w/ Mike & Kelly Dec 18, 2024

Today's story features interviews with two recent cryptocurrency heist victims (one who lost > $4.5M) who were hit by the same scammers. The fraudsters used:

-Google Assistant to automate outgoing calls to victims warning of a security incident with their account, and to press 1 to speak to a rep;

-An email from google.com warning about an email hacking incident, including the name and phone number of the Google rep who will be calling. The alerts were sent via Google Forms, which makes them come from google.com.

-Victims were convinced someone had taken over their accounts when they received an alert pop up on their mobile from Google, asking if they were trying to recover access to their account. By this time, the victims were convinced they were talking with Google, and clicked "yes, it's me" trying to recover access:

How to Lose a Fortune with Just One Bad Click

Adam Griffin is still in disbelief over how quickly he was robbed of nearly $500,000 in cryptocurrencies. A scammer called using a real Google phone number to warn his Gmail account was being hacked, sent email security alerts directly from google.com, and ultimately seized control over the account by convincing him to click “yes” to a Google prompt on his mobile device.

https://krebsonsecurity.com/2024/12/how-to-lose-a-fortune-with-just-one-bad-click/

How to Lose a Fortune with Just One Bad Click – Krebs on Security

BrianKrebs Dec 18, 2024

"Tony told KrebsOnSecurity that in the weeks following the theft of his 45 bitcoins, he became so consumed with rage and shame that he was seriously contemplating suicide. Then one day, while scouring the Internet for signs that others may have been phished by Daniel, he encountered Griffin posting on Reddit about the phone number involved in his recent bitcoin theft.

Griffin said the two of them were initially suspicious of each other — exchanging cautious messages for about a week — but he decided Tony was telling the truth after contacting the FBI agent that Tony said was working his case. Comparing notes, they discovered the fake Google security alerts they received just prior to their individual bitcoin thefts referenced the same phony “Google Support Case ID” number."

Lazarou Monkey Terror 🚀💙🌈Dec 18, 2024

@briankrebs I hope they become friends.

jzakotnik Dec 18, 2024

@briankrebs I would have stopped the process at the point where a "google rep" is supposed to call me. I can't imagine that google employs people who call users. This is not very plausible.

DeepBlue V7.X Dec 18, 2024

@jzakotnik @briankrebs I probably would have fallen for an AI voice calling me and claiming to be from Google. That is something I would expect from Google, I don't think I ever talked to an actual human on their support options.

inpc Dec 18, 2024

@deepbluev7 @briankrebs @jzakotnik it’s funny how many people trust g00gle. My advice? Don’t trust g00gle.

Cassandrich Dec 18, 2024

@jzakotnik @briankrebs Clicking yes to prompt on mobile is complete non-starter. Even allowing that kind of "2FA" (bad 1FA) to exist is a non starter. With a deGoogled device it's not a thing.

Howard Chu @ Symas Dec 18, 2024

@jzakotnik @briankrebs having wasted hours futilely trying to contact any humans at google back in 2008 during my early days as an Android dev, I know for certain they would never contact any users like this, ever.

trainguyrom Dec 19, 2024

@jzakotnik @briankrebs Google actually offers (or at least did at one time) live telephone support as a benefit of their Google One subscription.

When I worked at a call center I had a very eccentric customer conference call me with the google support representative because he believed that would allow us to do...something? I honestly can't remember the details at this point. Anyways from that interaction they sounded like they were probably from a contracted call center like most companies utilize these days

Christoph Schmees Dec 18, 2024

"Google" -- spot the fundamental fault.

Troed Sångberg Dec 18, 2024

@briankrebs "one bad click"

2) "years ago he used Google Photos to store an image of the secret seed phrase that was protecting his cryptocurrency wallet"

3) "Google Authenticator by default also makes the same codes available in one’s Google account online"

next person:

4) "I put my seed phrase into a phishing site"

This is not a post about people being dumb, on the contrary. It's too easy to put trust into the wrong apps/web sites - and that's where the real issue lies.

The lesson should be: Your data is not safe in the cloud. Stop putting pictures, codes and security backups there.

BrianKrebs Dec 18, 2024

@troed Yeah. There certainly are a lot of cases where we as security people say, oh, that's silly, or they should have known better. And it's true that Google never called anyone, and they really don't. That said, what I tend to find in these sad stories is that people make a series of decisions or assumptions that they never revisit.

Troed Sångberg Dec 18, 2024

@briankrebs I think what I'm looking for is some sort of UX clearly showing the difference between "this information is outside of your home and personal devices" and "the rest".

We take a photo with our phones and believe the photo "is in there". We might have a vague notion of there being some sort of backup but it doesn't cause us to pause and think about the implications that our photos can get into the hands of others _without_ them physically taking our phone.

We should be able to do better.

he/him Dec 18, 2024

@troed @briankrebs Well...at least, in this case, the victims were rich crypto bros, so the harm is really only in what that money will be used for

Troed Sångberg Dec 18, 2024

You'd be surprised at the diverse set of people that have seen "just testing it out"-money back in 2011 now allowing them a good life.

Don't mistake the loudmouths as being representative.

Scott Frazer Dec 18, 2024

@troed @TeflonTrout @briankrebs every one of those people has taken advantage of a greater fool.

The only return on crypto is what someone else is willing to give you. The whole thing is a zero-sum game. Anyone trying to convince otherwise is trying to make _you_ a greater fool.

Troed Sångberg Dec 18, 2024

Sure. It's like stocks.

@TeflonTrout @briankrebs

Scott Frazer Dec 18, 2024

@troed @TeflonTrout @briankrebs not even remotely, but I expect you already know that.

skry Dec 19, 2024

Yes, we need a strong indicator of storage location and who we're sharing it with.

Companies want you to think it doesn't matter where your data resides, but when people want to know, it's often too hard to find out. And when you need it, the data might be in a place or state you don't expect. Or worse, your Venmos are public and the news notices it before you do, etc.

You're not in control of your data as a result of every company grabbing it, which is a terrible user experience.

wb x64 Dec 19, 2024

@troed @briankrebs we used to. Then it became profitable for our OSes to automatically push our data onto their servers. Now it takes effort *not* to use OneDrive on Windows, iCloud backup on iOS, or Google Photos. Which is exactly how they like it.

Sue is Writing Solarpunk 🌞🌱Dec 18, 2024

I'm constantly hearing how crypto people are losing everything and yet they go on and on and on about how secure it is, and it just reminds me the whole thing is a con and a criminal enterprise.

Alison Meeks Dec 18, 2024

@susankayequinn Mary Kay for tech bros. @briankrebs

𝔼k 𝓋ℴ𝓃 𝕂𝔫ä𝔭𝔭𝔢𝔫𝔟𝔢𝔯g Dec 18, 2024

@susankayequinn 💯🔥

lemgandi Dec 18, 2024

@briankrebs NB that one victim's wallet was compromised because he had a picture of his passphrase in his google account. use a password manager. Use A Password Manager. USE A PASSWORD MANAGER.

Ivan Ožić Bebek Dec 18, 2024

@briankrebs "In reality, the thieves caused the alert to appear on his phone merely by stepping through Google’s account recovery process for Griffin’s Gmail address." Does this mean they had his password or auth code? Recovery notification couldn't be sent otherwise.

BrianKrebs Dec 18, 2024

@obivan I don't believe so. If you have a Google account, you can test this on your own by going to a computer that has never logged into your account before, and try to recover access to your account. You can get it to send you one of these prompts.

Ivan Ožić Bebek Dec 18, 2024

@briankrebs thanks for clarification! I tried to replicate this beforehand, but in my case it asks for password, phone number, auth or recovery code. If it works without any of these then it's highly disturbing.

𝔼k 𝓋ℴ𝓃 𝕂𝔫ä𝔭𝔭𝔢𝔫𝔟𝔢𝔯g Dec 18, 2024

@briankrebs anyone dumb and or greedy enough to put real money into crypto deserves to lose it

happyborg Dec 18, 2024

@briankrebs
Effectively holding money in the cloud is the problem.

Any account can be compromised, and to have self custody of those kind of sums and not make sure you understand how to protect it means it was a bad choice by them, for them. If people forget, the value rises, put it off etc., then there'll be consequences.

Like the guy spending millions to find his hard drive in a Welsh rubbish tip. We all feel it, but if you want self custody, take responsibility or you may lose the lot.

Estarriol, Terrorist Dragon Dec 18, 2024

sorry I read this as, 2 money launderers had their crypto stolen by fellow thieves......

Petesmom *has moved*Dec 18, 2024

@briankrebs
Thats going to be our Social Security Fund in a few months unless we find a way to stop the Republican Mafia from “investing” (stealing) OUR hard earned retirement fund 👀

Kid Mania Dec 18, 2024

@briankrebs
"Crypto assholes engaging in crypto scam get scammed."

Tom Bortels Dec 18, 2024

So much silliness because someone was too cheap to spend $50 on a proper fido2 hardware key. (I like the yubi, but there are other options)

Word to the wise: your cellular phone is a horrible MFA factor. Just horrible. If someone wants you to use your cell for MFA - add a heaping helping of mistrust there, because it means they don't listen to (or maybe have) security folks.

inpc Dec 18, 2024

@briankrebs Whoopsie!

Large amounts of money doesn’t equal sense.

LiquidParasyte Dec 18, 2024

@briankrebs I didn't even realize assistant was useful enough to automate something as complex as a scam like this

Matt Dec 18, 2024

@briankrebs crypto is an obvious scam, but this takes it to a new level

Jameson Lopp Dec 18, 2024

@briankrebs
This all tracks.

My co-founder got one of these social engineers to open up and we published the phone call: https://x.com/Nneuman/status/1859279048179863582

Nick Neuman (@Nneuman) on X

Recently I was called by someone pretending to be Coinbase support, trying to steal bitcoin. I decided to turn the tables on him and ask him about being a scammer. Things got wild - he completely changed his personality & told me everything. Presenting: To Catch a Scammer 🕵️‍♂️

X (formerly Twitter)

Lot⁴⁹ Dec 18, 2024

@briankrebs How not to lose money on crypto: don't mess with it.

Esslar2 Dec 19, 2024

@12thRITS @briankrebs When people who know a lot more about finance than I do say they don't understand how cryptocurrency works, that's all I need to hear. I have yet to see any clear, understandable account of how this deal works. It seems like one big scam and nothing else.

Lot⁴⁹ Dec 19, 2024

@flyhigh @briankrebs Good for drug deals, tho. Also for ransomware payoffs.

Slut Dec 24, 2024

@briankrebs this is probably intentional on your part but like the articles you link work but clicking elsewhere to like recent posts on your site gives back a 403. Assuming youre blocking exit nodes but unusual that its only after first interaction.