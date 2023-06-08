



Last month, Google announced that Gmail users will now see a blue checkmark next to the brand logo of senders who participate in the company’s message-identifying brand indicator program. BIMI and its blue check his mark were designed to give customers additional confidence that the branded sender was who they say they were, and were supposed to take a beating against email spoofing and phishing.

However, less than a month after BIMI’s rollout, scammers found a way to circumvent that control, spoofing the brand and successfully sending Google users emails impersonating logistics giant UPS. .

Google now says it’s stepping up its BIMI verification process, accusing anonymous “third parties” of allowing its service to be used in ways that circumvent security controls and deliver spoofed messages to your inbox. Experts say email providers, including Microsoft, may still be allowing this kind of behavior, and they’re not doing enough to address security issues that point to the staggering complexity of the modern email ecosystem. It has said.

Security researchers say that the way BIMI is implemented means that malicious attackers can exploit the system to more effectively impersonate well-known brands, and that end-users can use malicious links as part of phishing. They claim that they are much more likely to click or open dangerous attachments. attack.

According to the 2023 Verizon Data Breach Investigations Report, phishing accounts for nearly half of social engineering attacks, leading to tens of millions of dollars lost annually. Over the years, various protocols such as SPF, DKIM, etc. have been adopted to address email sender verification, but these protocols are imperfect solutions that address different aspects of a complex problem.

Developed by an industry working group in 2018 and first adopted by Google in July 2021, BIMI allows brands within the program to display “verified logos” in Gmail and “increase the credibility of the source.” , was intended to provide an additional layer of email security. It can increase the number of emails sent to recipients,” the company said in a deployment. The idea was that BIMI would require his DMARC and SPF or DKIM email authentication standards, conveying an additional level of trust and recognition to branded senders.

Alex Liu, a cybersecurity researcher and PhD student at the University of California, San Diego, who studies vulnerabilities in email verification protocols, said he was not surprised to see scammers attacking BIMI. . Throughout history, it’s usually scammers who adopt these new protocols first, Liu told Cyber ​​Scoop, emailing him. He added that it would depend on companies like Microsoft.

The controversy over how BIMI is implemented began with a series of tweets by New Hampshire cybersecurity expert Chris Plummer, who described Google’s implementation of BIMI as potentially “catastrophic” and said that users would Said it could be much more likely to act. Incorrectly validated messages.

Plummer told Cyberscoop, “The headers of the messages I received showed clear vandalism, but Google didn’t go far enough up the delivery chain to confirm it. ‘ said.

In a study published earlier this year, Liu and a group of co-authors documented how protocols that prevent sender domain spoofing struggle when encountering forwarded email. This is a tool that large companies often rely on and send on his BIMI. lots of emails.

Plummer became aware of the BIMI issue when he noticed an email in his Gmail inbox purporting to be from UPS. He told local news outlets that something was wrong, and Plummer determined that the email wasn’t actually from UPS. He filed a bug report with Google on May 31, but the company “slowly” closed the report as “intended behavior that won’t be fixed,” Plummer tweeted. Plummer added in his tweet, “How do scammers have the ‘intent’ to impersonate @UPS in such a convincing way?” The tweet has since been viewed nearly 155,000 times.

“Sender found a way to cheat @gmail’s authoritative stamp of approval that end-users trust,” Plummer said in a subsequent tweet. “This message came from his Facebook account to Netblock in the UK, O365 and me. Nothing about this is legal. Google just doesn’t want to treat this report honestly.”

The next day, after Mr. Plummer appealed, Google reversed course and said it was reconsidering Mr. Plummer’s report. “Thank you for your detailed investigation.” In a note, the company designated the bug as a “P1” priority.

“This issue stems from a third-party security vulnerability that makes it appear more trustworthy than it actually is to bad actors,” a Google spokesperson told CyberScoop in an email Monday. “To keep our users safe, we are requiring senders to use the more robust DomainKeys Identified Mail (DKIM) authentication standard to obtain a brand indicator (blue checkmark) status for their message IDs.”

A Google spokesperson said the DKIM requirements should be fully in place by the end of this week, moving away from previous policies that called for either DKIM or another standard (the Sender Policy Framework). Shows the changes, both assumed to be used by the email provider. In part, it determines whether incoming email is likely to be spam and theoretically authenticates that the sender is who they say they are. The spokesperson added that Google appreciated Plummer’s efforts to draw attention to the issue.

After Plummer first highlighted the BIMI issue on Twitter, security researcher Jonathan Ludenberg recreated the issue via Microsoft 365 by sending an email spoofing a Gmail account from the Microsoft email system and sent a message to Microsoft. I submitted a bug report to

But for now, Microsoft says it’s Google’s responsibility, not its own, to fix the problem. Microsoft Security His Response His center, in his reply to Rudenberg’s bug report, said the issue “is not an imminent threat that requires immediate attention,” adding that it has taken steps to ensure security. Said “burden” is the end-user’s email provider. , was Google.

In its response, the company said, “It’s true that SMTP/MX can be easily spoofed, but it’s up to the receiving mail provider to verify the content and origin of the message.” I quoted and said. Any email that originates from genuine Microsoft can be authenticated using SPF and DKIM, which is a flaw in the email service that prevents messages from being rejected or sent to spam folders. “

Microsoft did not immediately respond to a request for comment.

