Hacker News new | ask | show | jobs
by iLoveOncall 279 days ago
Looks like the attacker set "legal@google.com" as expeditor name, so that's what showed on the author's phone, that's it.
3 comments
oliwarner 279 days ago
Which should trigger every automated alarm bell, as well as SPF/DKIM checks. Which is where this falls apart slightly because in my experience, Gmail is pretty alert about flagging basic things like this.

The headers uploaded are the report email being sent to Google, not the original incoming email. We still don't know how this was spoofed.

link
karakot 279 days ago
I just put it into subject and that's how it looks like in my inbox

https://imgur.com/a/Ki2cciH

minimal efforts, won't pass any scrutinity but someone panicking might miss it.

Thanks OP for the thread, very enlightening.

link
oliwarner 279 days ago
The screenshot in TFA shows the subject was "Recent Case Status" and the sender was Google <legal@google.com>. This wasn't as simple as a dodgy subject.

I wonder how many people would fall for that though.

link
cpncrunch 278 days ago
What exactly is "expeditor name"?
link