Gmail Security Compromised: Verified Checkmark System Under Attack
Gmail’s newly introduced security measure, the verified checkmark system for emails, has already been exploited by scammers to deceive users. The system was launched with the intent of identifying verified companies and organisations with a blue checkmark, providing a seal of authenticity to help users distinguish legitimate emails from potential scams. However, the system which was designed to safeguard users, is now ironically being used as a tool against them.
Chris Plummer, a cyber security engineer, was the first to spot this exploitation. In an alarming discovery, Plummer noticed that scammers had managed to trick the system into accepting their fake brands as legitimate, effectively turning the trust-inducing checkmark into a weapon against unsuspecting Gmail users. “The sender found a way to dupe @gmail’s authoritative stamp of approval, which end users are going to trust,” Plummer explained. This unwarranted approval led to an email routed from a Facebook account, through a UK netblock, to an Office 365 account, and then to him, passing as a verified email when it was anything but.
Plummer immediately reported this glaring security flaw to Google and this report was initially dismissed as “intended behaviour”. However, his subsequent tweets highlighting the issue quickly went viral, forcing Google to acknowledge the error. In a statement to Plummer, Google admitted, “After taking a closer look we realised that this indeed doesn’t seem like a generic SPF (Sender Policy Framework) vulnerability. Thus we are reopening this and the appropriate team is taking a closer look at what is going on.” Google expressed regret for the initial confusion and appreciated Plummer’s persistence in raising the issue. The company has now listed the flaw as a ‘P1’ or Top Priority fix, which is currently in progress.
While Google works on a fix, Gmail users are advised to exercise caution. The Gmail checkmark verification system, in its current state, remains compromised, and hackers and spammers are able to use it to trick users into believing fraudulent emails are genuine. 1.8 Billion Gmail users can thank Plummer, not just for his discovery, but also for his relentless efforts to make Google acknowledge the problem. Despite the verification system’s current vulnerability, Gmail’s security remains a top priority, and users are urged to stay vigilant in these uncertain times.
At One2Call can protect your emails with Active Email Threat Protection, this service can monitor for the legitimacy of email sources, monitor the links within email to confirm their legitimacy and also look for unusual or suspicious behaviour/sentiment within emails that could potentially be harmful to your business. If you would like to find out more about Active Email Threat Protection, click the link below, or download our Free Cyber Security Self Assessment form where we can work with your business to ensure that you have the best Cyber Security policies and practices in place to protect your business against evolving cyber threats.
Latest News Stories
(Updated 12/04/23 – 09:30BST) SECURITY ALERT: 3CX Desktop App Security Vulnerability
UPDATE 12/04/2023 - 09:30BST: Mandiant's initial investigation into the 3CX intrusion and supply chain attack attributes the activity to a North Korean-linked group, UNC4736. They discovered that the attackers infected targeted 3CX systems with Windows-based TAXHAUL...
FBI Issues Cyber Security Warning over using Public Charging Points
The FBI has issued a warning urging individuals and businesses to avoid using public USB ports due to the risk of malware infections. According to a tweet from the Denver FBI office (as reported by CNBC), cyber criminals have exploited charging stations and points...
New Cyber Alert – New Nexus Trojan on Android, Attacking Mobile Banking Accounts
The new Android trojan is being spread through phishing pages disguised as legitimate websites called YouTube Vanced. The botnet, named Nexus, was first made available on a forum in January 2023 for a monthly fee of $3,000 and was described as a "very new" project...
Our Customers
Testimonials
Sarah Wroe, Commercial Property Partners
Stayed late on a Friday evening to fix my computer. Thank you
Peter, Peak Sensors
Very helpful, did exactly what I needed. Very competent people completing tasks accurately and quickly.
Annette, Blastcom
Ryan was very helpful and sorted out the problem for me.