Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
ajross 5 days ago

Something isn't adding up here. The author is excruciatingly rigorous with documenting lots of stuff here, including the screenshots. Then glosses over this bit awfully fast:

> So when he asked me to read back a code — supposedly to prove I was still alive — in a moment of panic, I did

This was an account with authenticator enabled. I'm no expert, but I really don't think there's a recovery process that works as simply as "read back a code". Certainly not in the SMS 2FA sense I'm sure we're all expected to interpret.

Honestly it seems like the author is trying to blame Gmail's UI, when some other more involved phishing technique was actually the novel part here.

InMice 5 days ago | parent | next [-]

I also feel like the article doesnt completely explain what happpened. Where is this code from?

Did they send the fake legal email and at same time trigger a recovery code to be sent?

Is this like the same thing in discord where they ask you for your email to join a server then ask you for a code sent to verify you own that email but really they submitted the email for password reset. The victim doesn't realize it's a real recovery code sent by Microsoft, etc instead in the moment thinking it is a "discord code". Once you submit the code in discord they have your account stolen in seconds.

Is this what the article is attempting to describe?

LgWoodenBadger 5 days ago | parent | prev | next [-]

If the scammer is attempting to login to the actual account (which requires 2fa), asking the scammee for the code will allow the scammer to login and do all the things. The scammer is using the victim as the 2fa directly.

GioM 5 days ago | parent | prev [-]

I don't get this part either.

if the scammers had spoofed the email, they would already have that code, and if they hadn't spoofed that email... I mean it looks like a case ID, why would they need it?

Maybe the reading back the code was to get buy in, then there's a missing step here like they had him hit "allow" on a 2fa prompt. Or maybe the email was legit, since it references a "temporary code" and the case ID allowed access with that code?

Good chance my reading comprehension is shot and I'm missing something, I suppose, but I don't understand.

ajross 5 days ago | parent [-]

> Good chance my reading comprehension is shot and I'm missing something, I suppose

That's more charitable than me. My UnreliableNarrator sense is tingling really badly here.

GioM 5 days ago | parent | next [-]

Ah, I think I get it. Article says:

> In the Gmail app on iOS, it looked completely legitimate — the branding, the case number, everything. Even the drop-down still showed “@google.com.”

> So when he asked me to read back a code — supposedly to prove I was still alive — in a moment of panic, I did.

The sentences do not refer to the same thing.

The code was not in the email... The narrator was asked to read back "a code" not the case ID in the email. "A code" here referes to a 2fa push notification code. The email was used to rattle the narrator / build trust to get them to comply.

vehementi 4 days ago | parent [-]

Yes, that is how I read it as well. Email was just for fun, and the code came by a different channel (of course). The email the scammer sent wouldn't contain a code they can use to take over his account (of course).

phendrenad2 4 days ago | parent [-]

Oh, the fake email also contains a code, so I thought that was it.

phendrenad2 5 days ago | parent | prev [-]

I came to the comment section to see if anyone had (1) noticed this omission and (2) explained it. I see we're at 1 still...