DecryptedTech DecryptedTech DecryptedTech DecryptedTech
Monday, 05 June 2023 10:20

Google’s Verification Feature in Gmail already Abused by Scammers and Phishers

Written by
Google’s Verification Feature in Gmail already Abused by Scammers and Phishers

Reading time is around minutes.

The news that a feature in Gmail that shows a verification check mark for a sender is being abused by attackers should come as a surprise to no one. After all attackers have coopted, code singing certificates, legitimate web sites, and more as part of their attack processes, why wouldn’t a simple blue check mark be difficult? The new feature was introduced last month and, on the surface, looks like a great idea. Show that the sender of an email is who they say they are.

The problem is that attackers are smart, they are always looking for a way to make their scams look legitimate. I have seen Business Email Compromises that involved the theft of marketing materials directly from a company while also using the compromised account to send out the next wave of phishing. Here the attacker uses a spoofed domain along with a recognizable logo. The one identified by security researcher Chris Plummer was a simple use of a subdomain exploit (kelerymjrlnra[.]ups[.]com). While the SPF (Sender Protection Filter) for UPS should and does fail this subdomain (although the DMARC seems to pass it), it looks like it spilled by Google’s check which verified the root domain.

This flaw on the Google side of things allowed the fake email to get through and even show up as verified. This makes the chance of being clicked on by the unwary much higher. Phishing emails claiming to be shipping companies with a pending package are nothing new. They happen all the time and millions of people fall for them, just like the “you’ve won” style emails that flood the most common public emails services out there. While this feature is a nice one, it looks like it needs a lot more work.

Google has now listed this issue as a Severity 1 and Priority 1 issue with people acting on identifying a fix as quickly as possible. This is a change of heart after they first ignored the reported issue saying it was acting as intended. I am sure this was a simple oversight and the person receiving the initial request missed the fact that it was a random subdomain. Still, I do wonder how this got by Google’s detection system in the manner that it did. It is not a valid subdomain (does not resolve DNS), fails a real SPF check, and has all the appearance of having been created by a domain name randomization application. A quick check of a public threat intelligence feed shows that using a subdomain for UPS is a very popular way of getting malicious emails and files to targeted individuals with 101 malicious files associated with bad subdomains. I would think that FedEx, UPS, and other popular targets would have a higher burden of proof for tools like the one that Google released.

For now, remember to keep an eye out for suspicious emails and do not rely on verified sender check marks in Gmail (or any other public mail system) for the foreseeable future.

Read 1513 times
Published in News
Tagged under
Sean Kalinich

Latest from Sean Kalinich

Related items

More in this category: « New APT Group targeting iOS Users with Zero-Click Malware, US gets the Blame MOVEit Transfer Zero Day gets added to the KEV and a Cool New Web Shell »

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

back to top

Follow Us

  • Follow Us

    Follow DecryptedTech on Social Media

    facebook twitter linkedin