Blue checkboxes didn't save the day: fraudsters have learnt to bypass the "official" email check
Less than a month ago, Google announced a "blue tick" feature feature for Gmail, which aims to combat fraudulent emails. However, within a few weeks, fraudsters have already found a way around this system.
Here's What We Know
Last month, Gmail launched a new feature called blue check marks, which allow businesses to verify their marketing emails and other messages to mark them as "official". At first glance, this sounds great, but in reality, the results are not so impressive.
Chris Plummer, a senior cybersecurity architect at Dartmouth Health, tweeted last week that Gmail's blue check marks can be faked. He identified an issue related to the Brand Indicators (BIMI), DMARC (Domain Based Message Authentication, Reporting and Compliance) and VMC (Verified Mark Certificate) used by Gmail to verify logos and attached domains:
There is most certainly a bug in Gmail being exploited by scammers to pull this off, so I submitted a bug which @google lazily closed as "won't fix - intended behaviour". How is a scammer impersonating @UPS in such a convincing way "intended". pic.twitter.com/soMq7KraHm
- plum (@chrisplummer) 1 June 2023
Plummer didn't say how the fraudsters managed to circumvent the system, but he did provide an example of an email with more details that used the UPS logo along with a domain containing "ups.com" to fake a blue check mark in an email that was obviously not official.
In a statement issued by Google shortly after the tweet was published, the company explained that the issue was due to a third-party vulnerability and that it would in future require senders to use the DomainKeys Identified Mail (DKIM) authentication standard to qualify for blue check marks.
Source: 9to5Google