News

Scammers are already exploiting Gmail’s new authentication system

Security Parrot Editorial Team

Gmail’s Blue Check Mark Verification System Vulnerable to Counterfeiting

Gmail’s new blue check mark verification system, designed to help businesses verify their marketing emails and distinguish them as legitimate, debuted less than a month ago. However, the effectiveness of the system has been called into question after a senior cybersecurity architect for Dartmouth Health, Chris Plummer, revealed a vulnerability in Gmail’s blue ticks on Twitter.
The verification process is based on Brand Indicators for Message Identification (BIMI), DMARC (Domain-based Message Authentication, Reporting, and Conformance), and a Verified Mark Certificate (VMC) issued by trusted certificate authorities such as Entrust or DigiCert. These measures are intended to verify both the logo and the associated domain.

Example of a Scammer Email

Plummer does not disclose the specific methods crooks use to bypass the system. However, he gives an example of a scammer email. It used the UPS logo and a domain with “ups.com” to imitate an official checkmark email.
This revelation is troubling, especially since an initial bug report from Plummer was dismissed by Google as “intended behavior.” However, the company eventually reversed its stance and reopened the issue, leaving room for possible solutions, albeit without a specified timeline.

Google’s Commitment to User Safety

In response to the situation, Google released a statement explaining that the problem stems from a third-party vulnerability. It also states that senders must now adhere to the more robust DomainKeys Identified Mail (DKIM) authentication standard to qualify for blue check marks. This new requirement will be implemented by the end of the week.
This incident highlights the ongoing battle between security measures and determined crooks. Despite the setback, Google’s commitment to user safety is evident in its efforts to quickly address the issue and improve the verification process.
Verification systems like Gmail’s blue check mark can provide significant benefits, but scammers persist in their search for vulnerabilities. Google’s swift response to the vulnerability discovered by Plummer is a testament to the company’s commitment to user safety. With the new DKIM authentication standard, Google is taking steps to ensure that businesses can trust the legitimacy of their emails.

Weekly Updates For Our Loyal Readers!

Share this Article
Lost your password?