Casa Blog - Bitcoin Security Made Easy

It was a bright and sunny afternoon on July 4th and I was preparing to throw some hot dogs and hamburgers on the grill, as is tradition, when my phone rang. When I checked the screen, I giggled with glee.

Yes, my phone informed me that I was getting a call from a social engineer. No, this isn't some fancy new anti-phishing software. After speaking with people who have been targeted by social engineers posing as Google support agents, I've collected the official Google phone numbers that they spoof when making their initial calls and put them in my phone's address book.

I picked up the phone, knowing that phase 1 of the attack is fully automated and wouldn't have a human on the other end of the line. This is essentially part of their target selection process: social engineers buy truckloads of leaked data from various breaches of services and then they have to whittle down the targets to decide which ones are most susceptible to being tricked. Thus, they feed all of the phone numbers into an autodialer bot that calls them and plays a message claiming that someone is trying to log into your Google account and to press 1 to flag the activity as fraudulent. This way, the social engineers don't waste their time calling numbers of people who don't pick up or who are savvy enough to know that Google doesn't send these type of automated phone calls.

audio-thumbnail
Google Social Engineering Bot
0:00
/15.569

I pressed "1" to set my trap and signal to the scammers that they had a live target who was ready to be attacked. 40 minutes later, I got the follow-up call. The following recording has been edited for brevity, because I made him wait for a minute or two at each step after he asked me to do something, in order to waste his time.

audio-thumbnail
Google social engineer
0:00
/359.447256

What did the social engineer attempt to do? First he tried to convince me he was legit by sending me an email from Google that would verify as being "from Google." It looks like he abused one of Google's support services to spoof my email address as the "from" address so that he could get actual Google infrastructure to reply to my email address with the subject line of his choosing. Of course, if you actually read the body of the email you can see that it's a nonsensical automated reply. On the call, I frustrated him a bit by pretending like I wasn't receiving these emails.

I had actually expected the email to contain the phishing link, but since it didn't I was then amused to see him spell out the URL for his phishing site to me over the phone. What was I presented with when I got there? This super official looking support request form!

Of course, clicking "Cancel request" doesn't actually show a success message... it takes you to a new form!

At this point I obviously wasn't going to input my real account credentials, so I typed out a rather unprofessional derogatory insult upon the social engineer's intelligence, and he hung up a couple seconds later. Message received!

What Would Have Happened?

If I had been foolish enough to give this social engineer my account credentials, it would not have been immediately obvious that my account was compromised. The engineer (or one of his colleagues) would have started sifting though all of the emails in my account, looking for any key words of other accounts I held at financial services or anything that could be of value to them.

If Google did send me an alert email about suspicious login activity, they would have immediately deleted it, along with any other alert emails that I received as they then tried to break into my other accounts by resetting passwords.

If they encountered issues getting into my other services, they would have re-run the playbook again, but would have posed as a support agent for the service they were trying to break into, calling me again and sending links to other customized phishing forms to capture those credentials.

If I started to get suspicious and opened support tickets with those services, the attackers would have quickly deleted them as well to ensure I didn't actually have communication with the real service. And they would have sent me "reply" emails posing as that service that looked legitimate, because they'd have sent them from my own email account to myself, allowing them to spoof the from address without any issues because it would not actually be getting sent over the internet and have to go through email SPF and DKIM verification checks.

Takeaways

There were several red flags that should have been giveaways throughout this process, but most people would probably miss them.

  1. Google does not calls its users regarding suspicious account activity.
  2. Social engineers tend to call on weekends, holidays, or weekday evenings when they figure the target is more likely to answer the phone.
  3. Social engineers posing as Google call from phone numbers with a 650 area code.
  4. The email "from Google" was clearly sent via abusing a Google service in order to pass various email verification checks like SPF and DKIM.
  5. The request cancellation form was not on an official Google site. This is a common tactic used by social engineers - abuse Google's on free web hosting service at sites.google.com in order to host malicious phishing forms that are on a Google domain. But sites.google.com is by no means official Google corporate communications like google.com!

How can you protect yourself from social engineering? It's quite simple - just be antisocial! Don't pick up that phone, don't trust incoming messages.

At Casa we're constantly educating ourselves about the latest tactics being employed by attackers and improving our service in response. If you or someone you know may be susceptible to social engineering, Casa can help you keep your bitcoin safe!

Evolving Casa’s defenses against social engineering
Casa is the home for bitcoin and digital asset wealth, and a home should always feel safe no matter what is happening outside. Right now, the fastest-growing attack vector we are seeing against bitcoiners and people who have digital wealth is social engineering. Social engineering attacks typically arrive by