"Official" letters should not be trusted either։ Fraudsters have learned how to fake the blue checkmark in Gmail

June 5, 2023  18:12

Google recently launched a system to verify email senders, but it turns out that it is vulnerable to fraudsters who have learned to spoof the blue check and impersonate brands and organizations.

As the Security Lab website informs, at the beginning of May, Gmail launched a verification check that should help protect users from phishing attacks: with this check, users could be sure that the email they received was sent by a trusted company and therefore would not worry about their security.

In order to receive the certificate, companies and organizations must go through a special verification process. However, as it turns out, criminals can also send letters with a check mark.

Cybersecurity engineer Chris Plummer discovered and tweeted an example of a fake email written on behalf of the UPS delivery service. In the email, the attacker asks the recipient to follow a phishing link and confirm their information to receive the package.

Plummer noticed that the sender's email address was a random combination of letters and did not match the UPS domain. However, the email had a blue check mark that, when hovering over, indicated that the email was from a verified source.

It is not yet known how the fraudsters cheat the Google system and get these credentials. Plummer suggests that there is a bug in Gmail that fraudsters can use to get the blue checkmark.

Interestingly, Google initially did not admit that there was such a problem and stated that the benchmark system was working properly. However, when Plummer released proof of his discovery, the company said it was already working to fix the problem.

  • Archive