Google Tightening its Email Authentication Protocol
Google is tightening its email security protocol after a researcher discovered a flaw that allowed scammers to impersonate brands, a vulnerability that highlights the complexity of modern email ecosystems. In July 2021, Google implemented Brand Indicators for Message Identification (BIMI) as an additional layer of email security, displaying validated company logos alongside messages in Gmail to increase user confidence. However, scammers found ways around BIMI’s controls and impersonated the logistics provider UPS by delivering fake messages to Gmail users. Chris Plummer, a cybersecurity professional, helped highlight BIMI’s vulnerability through a series of tweets, which prompted Google to re-examine its security protocol.
BIMI’s Role in Email Security
BIMI works alongside SPF and DKIM protocols to address email sender verification, but these protocols are incomplete solutions addressing different aspects of a complex problem. Scammers are usually the first to adopt new protocols, as seen with BIMI. Alex Liu, a cybersecurity researcher and PhD student at the University of California San Diego, warns that malicious actors could abuse BIMI to more effectively impersonate well-known brands, making it much more likely for end-users to click on a malicious link or open a dodgy attachment as part of a phishing attack.
Email Spoofing and Forwarding
In addition to impersonation, BIMI struggles with forwarded messages. Plummer discovered that the headers of the message he received showed apparent subversion, but sources further up the delivery chain did not detect the issues, which led to the delivery of fake messages to inboxes. For large corporations that rely on mass emails, forwarding is a necessary tool that makes them vulnerable to such attacks.
Google Tightening BIMI Verification
To keep users safe, Google is requiring senders to use DomainKeys Identified Mail (DKIM) authentication standard to qualify for Brand Indicators for Message Identification (blue checkmark) status. The DKIM requirement should be fully in place by the end of the week, marking a change from the previous policy that required either DKIM or a separate standard – the Sender Policy Framework (SPF).
Philosophical Discussion: Email Authentication and Cybersecurity
While email authentication protocols such as SPF, DKIM, and BIMI address email verification issues, they are all incomplete solutions that have different limitations. As online scammers are usually the quickest to adopt these protocols, this highlights the importance of improving the security implementation and detection of potential weak points. The complexity of modern email ecosystems, and the technologies behind how they function presents cybersecurity professionals with a perpetual challenge: keeping email recipients safe while preventing legitimate emails from being delivered to the spam folder or being entirely rejected.
Editorial: Cybersecurity Responsibility and the Complexity of Email Ecosystems
With several email protocols designed to address different email security concerns, many organizations will find it challenging to adopt them without compromising user experience, which is costly. Cybersecurity standards should be governed by safety first. While companies claim to have the user’s best interests in mind, cyber threats slip through the cracks. Google‘s prompt response regarding BIMI is commendable, but the industry must develop better security protocols, given the rise in cyber threats.
Advice: Staying Vigilant Against Email Scams
Email users must be cautious of any unsolicited or suspicious emails. They should not provide personal information or download attachments from unknown senders. Companies and email security providers must improve their detection mechanisms to prevent email scams from reaching end-users. Email forwarding remains a critical threat to cybersecurity, allowing one email to damage an entire network. Therefore, mass-email companies must develop effective methods to prevent impersonation and protect users from phishing attacks.
<< photo by Stephen Bergin >>
You might want to read !
- “Securing Remote Access Software: Insights from US and Israel”
- Exploring the Significance of Android’s Latest Security Update in Patching Arm GPU Vulnerability
- The Threat of Malicious Code Distribution through Hallucinations.
- Connecting the Dots: Microsoft Traces MOVEit Attack to Cl0p as British Airways, BBC Fall
- “Exploring the Value of Twitter Threat Intelligence for Enterprise Cybersecurity”
- Insider Insights: The Intersection of Artificial Intelligence and Cybersecurity in Military Technology
- Payroll Data Breach: Hackers Deliver “Ultimatum” to Companies
- Exploring the Implications of the MOVEit Software Hack: BBC, British Airways and Others Impacted
- Aggregate Cyber Risk: An Essential Guide for Security Professionals
- “The Power of Reinvention: Revamping Risk in Awareness Training”
- Central Asian Governments Face Targeted and Sophisticated DownEx Malware Campaign