Warning to all 1.8 billion Gmail users due to ‘blue tick’ hacking scam
Hackers are exploiting Gmail’s blue ticks: experts warn 1.8 billion Google users about imposters trying to steal money and passwords – and here’s how to spot fake verified accounts
It’s only been a month since Google’s Gmail offered its version of “blue checkmark” Twitter-style verified accounts, and hackers are already taking advantage of it.
Google launched the verification feature, which appears next to the sender’s name, to assure readers that emails are trustworthy.
Scammers have found a solution to get their hands on the coveted mark, allowing them to craft false addresses of well-known brands and may mislead users into providing login credentials or payments.
Cybersecurity claim Google was made aware of the flaw shortly after it was identified, but “ignored the issue.”
The new hack takes advantage of Gmail’s existing Brand Indicators for Message Identification (BIMI) feature, based on their new blue checkmark system. Scammers exploit the weakness to create “verified” fake addresses of well-known brands such as global shipper UPS
“I submitted a bug that @google lazily dismissed as ‘cannot be fixed – intended behavior’,” cybersecurity engineer Chris Plummer tweeted.
“How can a scammer impersonate @UPS in such a convincing way” meant.
The exploit takes advantage of Gmail’s existing Brand Indicators for Message Identification (BIMI) feature, based on their new “blue checkmark” system.
In theory, the blue checkmarks would confirm that an email address is authorized to use the name and avatar image assigned to it, such as the logo of a major brand.
Software engineer Jonathan Rudenberg said verification was only required DomainKeys Identified Mail (DKIM) signaturewhich can be ‘of any domain’.
‘This means that any shared or misconfigured mail server in the SPF of a domain with BIMI [Sender Policy Framework] records can be a vector for sending spoofed messages’, Rudenberg wrote in a blog post“with the full BIMI treatment in Gmail.”
“BIMI is worse than the status quo,” Rudenberg said.
Users are urged to review all verified email addresses before taking any action.
Scammers create addresses with many different numbers and letters as they enter the name of the company in hopes of misleading recipients.
Shockingly, Google’s initial response was to ignore the issue. Cybersecurity engineer Chris Plummer said the tech giant’s security team first told him ‘will not fix – intended behavior’
Other email clients have recently had or continue to have similar issues with their BIMI verified “authenticated” email address system, according to Rudenberg, including Microsoft 365 and Apple Mail, in conjunction with Fastmail.
iCloud and Yahoo were noticeably more secure.
Fortunately, Google now lists this fake “blue check” bug as a top priority or “P1” issue.
“After taking a closer look, we realized that this indeed does not appear to be a generic SPF vulnerability,” a Google representative said. wrote to Plummer late last week. “So we’re reopening this and the right team is looking into what’s going on.”
“We apologize again for the confusion.”