Yesterday I received a project request through my website.
It didn't sound too unusual although it was very vague which is usually a sign for a bad paying client.
I replied, signaled interest and asked for some more information about the project.
The response came just 2 hours later:
Obviously written by an LLM.
Nothing unusual though, lots of people write their emails assisted by LLMs these days.
Something else caught my eye...
Look closely:
That doesn't look very... professional. It especially seemed strange coming from a woman working from UAE.
Maybe she's "more open-minded" and doesn't realize that her personal Gmail avatar is being shown to everybody she emails for work.
We go 2 more emails back and forth and I eventually attempt to book a call.
This is where it gets weird.
I click on the link in the email.
Hmm... I was expecting a redirect to the Calendly website but the Calendly form actually opens on the client website's URL.
Ok, maybe they've embedded the form in an iframe or you can somehow self-host Calendly forms now.
I take the opportunity to check out the website from this company "HitBox Games".
The games they publish sound ridiculous:
- Robot Transform War Car Games
- Indian Bike Gangster Simulator
- Spider Action Fighting Game
- Spider Rope Action Game
What?
They look like low quality ripoffs that you get these annoying mobile ads for.
Let's see if this is for real.
I follow the links to Google Play.
It looks legit. 10M downloads! Seems like there's a big market for "Indian Bike Gangster Simulator".
The reviews are not bad and the screenshots actually look like a well-made game.
At this point, I'm of course still open to working on a project for them. I may not be the target audience of their product but I'd still build a website for this company!
Let's get back to booking the call.
Next week Wednesday sounds good...
Before I can continue, I need to log in with Google.
Surprisingly bad UX coming from Calendly. I didn't realize I need to log in before clicking "Schedule". Shouldn't they have optimized the hell out of these forms?
Also, it shows "Mountain Time" as the timezone. Surely Calendly should be able to detect my local timezone without problems. Weird!
I click "Sign in with Google" and a Google-branded loading spinner appears:
Weird, never seen this one before.
Also notice how the loading spinner is Google-branded but the URL of the website is still the prospective client's.
Next, it gets uncanny.
I'm presented with something that looks like the "Verify your identity" screen that I'm shown what feels like 10 times per day.
But something's off.
The Google logo doesn't look right, the font is unusual, the "Next" button looks outdated.
But the URL is definitely Google's. I even see the green lock symbol which means that Chrome identifies the company/site as trustworthy or something like that (I should probably know this).
At this point I'm still very skeptical and I'm looking closely at the URL to see if it's one of these typo URLs or if it uses any lookalike symbols.
I can't find anything. The domain is definitely accounts.google.com.
When I open 1Password and it doesn't suggest me my Google login, I know that there's no chance this is legit.
But why does the URL look so real? How did they pull that off?
As I look closer, I notice that the URL bar looks a bit weird.
And then it hits me: this is not a real window!
I can't drag it outside of the viewport's bounds, the traffic light buttons don't work (except for the close button) and the "Secure connection" popover is the definite giveaway.
This isn't a real browser window and I can inspect it with the devtools:
Conclusion
Wow, this is the first time that I've gone this far through a phishing funnel and I can't quite believe it.
I'm a web developer and obsess over individual pixels all day, so I usually spot phishing sites in less than 10 seconds.
Why was this so effective?
Maybe I just had a long day and I'm tired. That could definitely be why this got me.
But I think something else was different about this one:
This is the first time I had a seemingly real email conversation with somebody who turned out to be trying to phish me.
Normally I only get this from cold / spam emails but this person actually contacted me through the form on my website. And they only sent the phishing link after I had replied to them.
Right now there were still a lot of obvious tells but these phishing attempts are only going to get more sophisticated over time.
It's still strange to me how they paid extra attention to certain details.
For example, the Google login flow supports dark mode:
And the Sign In screen looks very convincing with the slightly-janky loading animation and the Material UI-style floating labels:
But then they don't localize the timezone and don't use the real Google logo.
I wonder if these scammers are doing some kind of funnel optimization. Maybe more people fall for their tricks if their fake login forms support dark mode.
Or the supposedly attention to detail in certain areas is just whatever their coding agent decided to clone more accurately.
Anyways, I hope this little story was somewhat entertaining. Be wary of companies trying to hire you to build a website for "Spider Rope Action Game".
P.S.: It seems like the apps on Google Play are actually real. This scammer probably just created a fake website with the same company name as the one that actually created those games.
P.P.S.: The supposedly fake website for "HitBox Games" ranks pretty high on Google. I wonder if the website could be real and they just got hacked.