Mastodawn

BrianKrebs Dec 18, 2024

Today's story features interviews with two recent cryptocurrency heist victims (one who lost > $4.5M) who were hit by the same scammers. The fraudsters used:

-Google Assistant to automate outgoing calls to victims warning of a security incident with their account, and to press 1 to speak to a rep;

-An email from google.com warning about an email hacking incident, including the name and phone number of the Google rep who will be calling. The alerts were sent via Google Forms, which makes them come from google.com.

-Victims were convinced someone had taken over their accounts when they received an alert pop up on their mobile from Google, asking if they were trying to recover access to their account. By this time, the victims were convinced they were talking with Google, and clicked "yes, it's me" trying to recover access:

How to Lose a Fortune with Just One Bad Click

Adam Griffin is still in disbelief over how quickly he was robbed of nearly $500,000 in cryptocurrencies. A scammer called using a real Google phone number to warn his Gmail account was being hacked, sent email security alerts directly from google.com, and ultimately seized control over the account by convincing him to click “yes” to a Google prompt on his mobile device.

https://krebsonsecurity.com/2024/12/how-to-lose-a-fortune-with-just-one-bad-click/

How to Lose a Fortune with Just One Bad Click – Krebs on Security

Show thread

Troed Sångberg Dec 18, 2024

@briankrebs "one bad click"

2) "years ago he used Google Photos to store an image of the secret seed phrase that was protecting his cryptocurrency wallet"

3) "Google Authenticator by default also makes the same codes available in one’s Google account online"

next person:

4) "I put my seed phrase into a phishing site"

This is not a post about people being dumb, on the contrary. It's too easy to put trust into the wrong apps/web sites - and that's where the real issue lies.

The lesson should be: Your data is not safe in the cloud. Stop putting pictures, codes and security backups there.

Show thread

BrianKrebs Dec 18, 2024

@troed Yeah. There certainly are a lot of cases where we as security people say, oh, that's silly, or they should have known better. And it's true that Google never called anyone, and they really don't. That said, what I tend to find in these sad stories is that people make a series of decisions or assumptions that they never revisit.

Show thread

Troed Sångberg Dec 18, 2024

@briankrebs I think what I'm looking for is some sort of UX clearly showing the difference between "this information is outside of your home and personal devices" and "the rest".

We take a photo with our phones and believe the photo "is in there". We might have a vague notion of there being some sort of backup but it doesn't cause us to pause and think about the implications that our photos can get into the hands of others _without_ them physically taking our phone.

We should be able to do better.

Show thread

TeflonTrout

he/him Dec 18, 2024

@troed @briankrebs Well...at least, in this case, the victims were rich crypto bros, so the harm is really only in what that money will be used for

Show thread

Troed Sångberg Dec 18, 2024

@TeflonTrout

You'd be surprised at the diverse set of people that have seen "just testing it out"-money back in 2011 now allowing them a good life.

Don't mistake the loudmouths as being representative.

@briankrebs

Show thread

Scott Frazer

@troed @TeflonTrout @briankrebs every one of those people has taken advantage of a greater fool.

The only return on crypto is what someone else is willing to give you. The whole thing is a zero-sum game. Anyone trying to convince otherwise is trying to make _you_ a greater fool.

Show thread

Troed Sångberg Dec 18, 2024

@sfrazer434

Sure. It's like stocks.

@TeflonTrout @briankrebs

Show thread

Scott Frazer Dec 18, 2024

@troed @TeflonTrout @briankrebs not even remotely, but I expect you already know that.