Crooks Bypassed Google's Email Verification to Create Workspace Accounts, Acces

(krebsonsecurity.com)

193 points todsacerdoti | 1 comments | 26 Jul 24 21:34 UTC | HN request time: 0s | source

Show context

kabdib ◴[26 Jul 24 23:16 UTC] No.41083170[source]▶

I get occasional probes from Google services against my domain, clearly made by bad actors who are trying to break into it. It's not "lose your domain with a slip of the finger" territory, but it's still not great.

There doesn't appear to be a way to tell Google, "I own this domain, just block all of these bogus requests" other than signing up for the services in question (which I don't want to do!)

Scammers will be scammers, but this is also pretty shitty behavior on Google's part.

replies(3): >>41083313 #>>41083637 #>>41084634 #

magicalhippo ◴[27 Jul 24 00:38 UTC] No.41083637[source]▶

>>41083170 #

For Google and Microsoft, you have to add some TXT records to verify your domain.

Surely they could add support for checking that TXT record to "anti-verify" the domain? Ie instead of the "MS=ms12345" value to verify with Microsoft, have some fixed "MS=NOJOY" or whatever to signal to Microsoft you don't want any registrations against your domain.

replies(1): >>41085530 #

1. bell-cot ◴[27 Jul 24 10:04 UTC] No.41085530[source]▶

>>41083637 #

Idea: DNS TXT records are free-form. What if you used those to publish some (very short) "Legal Notices", stating that certain things were not authorized, and should be assumed fraudulent?

(Perhaps with similar notices published in your local old-school Legal News. There are entire periodicals devoted to the publication of legal notices.)

It doesn't matter if it would fully stand up in court, if the existence of the published prior notices convinced Google or MS that they were risking a nasty Legal Dept. situation.

↑