Monday, 05 June 2023 10:20

Google’s Verification Feature in Gmail already Abused by Scammers and Phishers

Written by

Reading time is around minutes.

The news that a feature in Gmail that shows a verification check mark for a sender is being abused by attackers should come as a surprise to no one. After all attackers have coopted, code singing certificates, legitimate web sites, and more as part of their attack processes, why wouldn’t a simple blue check mark be difficult? The new feature was introduced last month and, on the surface, looks like a great idea. Show that the sender of an email is who they say they are.

The problem is that attackers are smart, they are always looking for a way to make their scams look legitimate. I have seen Business Email Compromises that involved the theft of marketing materials directly from a company while also using the compromised account to send out the next wave of phishing. Here the attacker uses a spoofed domain along with a recognizable logo. The one identified by security researcher Chris Plummer was a simple use of a subdomain exploit (kelerymjrlnra[.]ups[.]com). While the SPF (Sender Protection Filter) for UPS should and does fail this subdomain (although the DMARC seems to pass it), it looks like it spilled by Google’s check which verified the root domain.

This flaw on the Google side of things allowed the fake email to get through and even show up as verified. This makes the chance of being clicked on by the unwary much higher. Phishing emails claiming to be shipping companies with a pending package are nothing new. They happen all the time and millions of people fall for them, just like the “you’ve won” style emails that flood the most common public emails services out there. While this feature is a nice one, it looks like it needs a lot more work.

Google has now listed this issue as a Severity 1 and Priority 1 issue with people acting on identifying a fix as quickly as possible. This is a change of heart after they first ignored the reported issue saying it was acting as intended. I am sure this was a simple oversight and the person receiving the initial request missed the fact that it was a random subdomain. Still, I do wonder how this got by Google’s detection system in the manner that it did. It is not a valid subdomain (does not resolve DNS), fails a real SPF check, and has all the appearance of having been created by a domain name randomization application. A quick check of a public threat intelligence feed shows that using a subdomain for UPS is a very popular way of getting malicious emails and files to targeted individuals with 101 malicious files associated with bad subdomains. I would think that FedEx, UPS, and other popular targets would have a higher burden of proof for tools like the one that Google released.

For now, remember to keep an eye out for suspicious emails and do not rely on verified sender check marks in Gmail (or any other public mail system) for the foreseeable future.

Read 1256 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.