Blue checkboxes didn't save the day: fraudsters have learnt to bypass the "official" email check

By: Dmitro Koval | 06.06.2023, 22:12
Blue checkboxes didn't save the day: fraudsters have learnt to bypass the "official" email check

Less than a month ago, Google announced a "blue tick" feature feature for Gmail, which aims to combat fraudulent emails. However, within a few weeks, fraudsters have already found a way around this system.

Here's What We Know

Last month, Gmail launched a new feature called blue check marks, which allow businesses to verify their marketing emails and other messages to mark them as "official". At first glance, this sounds great, but in reality, the results are not so impressive.

Chris Plummer, a senior cybersecurity architect at Dartmouth Health, tweeted last week that Gmail's blue check marks can be faked. He identified an issue related to the Brand Indicators (BIMI), DMARC (Domain Based Message Authentication, Reporting and Compliance) and VMC (Verified Mark Certificate) used by Gmail to verify logos and attached domains:

Plummer didn't say how the fraudsters managed to circumvent the system, but he did provide an example of an email with more details that used the UPS logo along with a domain containing "ups.com" to fake a blue check mark in an email that was obviously not official.

In a statement issued by Google shortly after the tweet was published, the company explained that the issue was due to a third-party vulnerability and that it would in future require senders to use the DomainKeys Identified Mail (DKIM) authentication standard to qualify for blue check marks.

Source: 9to5Google