I /think/ you're describing a problem where you're unexpectedly receiving two SMS messages containing verification codes when logging into GMail. Is that correct? Can you elaborate on why you think "phishing" is occurring here?
 
Issues with Google account login do not represent bugs in Chrome and unfortunately are not something that the Chrome security team can help with. https://support.google.com/accounts/?hl=en#topic=3382296 offers help with Google Account issues.

Hey,

So I think something malicious, clever, current, and widespread is happening, and I really don't know exactly how it's happening, but I think it should be investigated. I don't know if it's the browser, the sign-in page, my phone, or what. But today I googled and found more instances, with a wider range of numbers:

614-695-29##, Within the last 24 hours 12 marked unsafe, related to google verification code: http://www.okcaller.com/61469529
614-695-4728, https://productforums.google.com/forum/#!topic/gmail/156rqYeib0c
614-695-4782, http://spyoncaller.net/6146954782
614-695-32##, Within the last 2 days, 12 marked unsafe, related to google verification code: http://www.okcaller.com/61469532
614-695-4776, 18 marked unsafe in May 2017: http://www.okcaller.com/6146954776

The reason I think it's "phishing" is there are many reports of people experiencing this issue and losing access to all sorts of things, some including bank account attempts I believe. I haven't logged into gmail on my laptop for days now because my biological neural networks are telling me something's up.

In chrome, I would do the following process about 30 times in a row, and get one of three results in a seemingly random sequence. Command N for a new window, gmail url, enter, the new sign-in page, and one of the three outcomes in the original post would occur. I compared the source code of the pages keeping track of whether chrome remembered my email address and/or password. At first I thought it was the nonce="" differences, cause one had + and / characters, but further investigation showed that wasn't a difference correlated to whether chrome remembered the email address. I also thought towards the end, the presence or absence of a hyphen in accounts.google.com\u0026v\u003d- was the difference, but seemingly not. 

Chrome is the entity that stores my passwords, so I thought it could be connected, and since this issue doesn't seem to fit into any category on the standard help pages, this forum seemed the best way to get a person to look into it. 

Furthermore, I don't even remember enabling two-step authentication, but I probably did since I have texts from the 220-00 number that date back months ago and vaguely remember doing so. 

It's not just that it's two messages but that one is from a 10-digit phone number that is marked suspicious or unsafe online in relation to this issue. How would the second number know the code? Traditional phishing would use social engineering to obtain the code, but if they know the code from when the 220-00 number sent it and are sending it, they wouldn't need that information. So what's left I think is when the user connects their email, password, code, and phone to sign in. It's tricky; I'm really not sure what's going on. But I think something's going on.

Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

In the 2-Factor Phishing scenario, the attacker sends a message *asking you* to reply to a SMS message and provide the 2-Factor code that you received in another SMS message. 

In the scenario you've described in the original report, you're receiving two SMS messages from different numbers, both of which contain the same six digit code, and neither of these messages asks you to reply?

Right, the text content is identical. I think only one text is triggered by the two step part. If it's the 10 digit number it uses the code from the last one google sent.

Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

As far as I can tell, there is no Chrome-specific security issue here. Removing from the security queue (But keeping restricted for now).

Mac triage: WontFix this. I don't know what's going on with the duplicate texts but the Chrome bug tracker is certainly the wrong place to track this issue. I'll forward this to Google security folks, though.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot