Hackers are abusing Gmail’s blue ticks: Experts warn 1.8 billion Google users of imposters trying to steal money and passwords – and here’s how to spot fake verified accounts
It’s only been a month since Google’s Gmail offered its version of Twitter-style “blue tick” verified accounts, and hackers are already exploiting it.
Google launched the verification feature, which sits next to the sender’s name, to assure readers that emails are trustworthy.
The crooks found a workaround to get the coveted mark, allowing them to craft fake addresses of famous brands and potentially trick users into providing credentials or payments.
Cybersecurity says Google was made aware of the flaw shortly after it was identified, but “ignored the issue”.
The new hack uses Gmail’s existing “Brand Indicators for Message Identification” (BIMI) feature, based on their new “blue tick” system. Scammers exploit weakness to create, but “verified” fake addresses of famous brands like global shipper UPS
“I submitted a bug which @google has lazily closed as ‘won’t fix – intended behavior,’ cybersecurity engineer Chris Plummer tweeted.
“How is a scammer impersonating @UPS so convincingly ‘intentional’.
The exploit uses Gmail’s existing BIMI (Brand Indicators for Message Identification) feature, based on their new “blue tick” system.
In theory, blue checks would confirm that an email address is authorized to use the name and avatar image assigned to it, such as a major brand logo.
Software engineer Jonathan Rudenberg said verification only required a DomainKeys Identified Mail (DKIM) signingwhich can be “from any domain”.
‘This means that any shared or misconfigured mail server in the SPF of a BIMI-enabled domain [Sender Policy Framework] recordings can be a vector for sending falsified messages”, Rudenberg written in a blog post‘with full BIMI processing in Gmail.’
“BIMI is worse than the status quo,” Rudenberg said.
Users are advised to carefully review all verified email addresses before acting.
Scammers fabricate addresses with many different numbers and letters while capturing the company name in hopes of tricking recipients.
Surprisingly, Google’s first response was to ignore the problem. Cybersecurity engineer Chris Plummer says the tech giant’s security team initially told him ‘will not fix the intended behavior’
According to Rudenberg, other email clients have recently had or are still having similar issues with their BIMI-authenticated “verified” email address system, including Microsoft 365 and Apple Mail, when paired with Fastmail.
iCloud and Yahoo were significantly more secure.
Thankfully, Google now lists this fake “blue tick” bug as a top priority or “P1” issue.
“After taking a closer look, we realized that this indeed did not look like a generic SPF vulnerability,” a Google representative said. writes to Plummer late last week. “So we’re reopening that and the appropriate team is taking a closer look at what’s going on.”
“We apologize again for the confusion.”
