←back to thread

Crooks Bypassed Google's Email Verification to Create Workspace Accounts, Acces

(krebsonsecurity.com)
193 points todsacerdoti | 8 comments | 26 Jul 24 21:34 UTC | HN request time: 0.409s | source | bottom
1. kabdib ◴[26 Jul 24 23:16 UTC] No.41083170[source]
I get occasional probes from Google services against my domain, clearly made by bad actors who are trying to break into it. It's not "lose your domain with a slip of the finger" territory, but it's still not great.

There doesn't appear to be a way to tell Google, "I own this domain, just block all of these bogus requests" other than signing up for the services in question (which I don't want to do!)

Scammers will be scammers, but this is also pretty shitty behavior on Google's part.

replies(3): >>41083313 #>>41083637 #>>41084634 #
2. kyrra ◴[26 Jul 24 23:41 UTC] No.41083313[source]
What do you mean probing your domain from Google?
replies(1): >>41083325 #
3. HideousKojima ◴[26 Jul 24 23:43 UTC] No.41083325[source]
I assume trying to sign up for Google services (business email etc.) for his domain
replies(1): >>41083338 #
4. kabdib ◴[26 Jul 24 23:45 UTC] No.41083338{3}[source]
Exactly.
5. magicalhippo ◴[27 Jul 24 00:38 UTC] No.41083637[source]
For Google and Microsoft, you have to add some TXT records to verify your domain.

Surely they could add support for checking that TXT record to "anti-verify" the domain? Ie instead of the "MS=ms12345" value to verify with Microsoft, have some fixed "MS=NOJOY" or whatever to signal to Microsoft you don't want any registrations against your domain.

replies(1): >>41085530 #
6. toast0 ◴[27 Jul 24 05:35 UTC] No.41084634[source]
When I was an admin for a Google Apps Domain, you couldn't even stop people from making a google account that aliases a google apps account.

Best I could do was run reports and yell at people. But it really would have been nice to stop all attempts to make google accounts for the domain.

replies(1): >>41087403 #
7. bell-cot ◴[27 Jul 24 10:04 UTC] No.41085530[source]
Idea: DNS TXT records are free-form. What if you used those to publish some (very short) "Legal Notices", stating that certain things were not authorized, and should be assumed fraudulent?

(Perhaps with similar notices published in your local old-school Legal News. There are entire periodicals devoted to the publication of legal notices.)

It doesn't matter if it would fully stand up in court, if the existence of the published prior notices convinced Google or MS that they were risking a nasty Legal Dept. situation.

8. kabdib ◴[27 Jul 24 16:05 UTC] No.41087403[source]
Exactly. Google's behavior here is terrible.