Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I can't believe he omitted that detail. How did they appear to send an email from a google domain? This is especially puzzling given that he says he works in security.


Looks like the attacker set "legal@google.com" as expeditor name, so that's what showed on the author's phone, that's it.


Which should trigger every automated alarm bell, as well as SPF/DKIM checks. Which is where this falls apart slightly because in my experience, Gmail is pretty alert about flagging basic things like this.

The headers uploaded are the report email being sent to Google, not the original incoming email. We still don't know how this was spoofed.


I just put it into subject and that's how it looks like in my inbox

https://imgur.com/a/Ki2cciH

minimal efforts, won't pass any scrutinity but someone panicking might miss it.

Thanks OP for the thread, very enlightening.


The screenshot in TFA shows the subject was "Recent Case Status" and the sender was Google <legal@google.com>. This wasn't as simple as a dodgy subject.

I wonder how many people would fall for that though.


What exactly is "expeditor name"?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: