Google has responded to a security researcher’s tweets alerting them to a flaw in their email security protocol that scammers used to impersonate large brands and send phishing emails to Gmail users. Despite the recent rollout of Google’s Brand Indicators for Message Identification (BIMI) program and the use of blue check marks to indicate verified brands, scammers found their way around it and managed to dupe Google users. The situation highlights the complexities of email security, and how email providers like Google and Microsoft should respond proactively to address these issues.
Flaws in BIMI Authentication Protocol
Email verification protocols such as SPF, DKIM, and private ones have been in use for years. BIMI, an industry group protocol developed in 2018 and adopted by Google later, was envisioned to add another layer of security to email by displaying validated logos in Gmail for brands that use DMARC, SPF, or DKIM to authenticate their email messages. However, security researchers questioned the reliability of BIMI, as malicious groups can use it to deceive users more effectively into opening communications they believed were genuine.
BIMI’s Incomplete Solution
Alex Liu, who is a cybersecurity researcher and PhD student at the University of California San Diego, remarked that cybercriminals are often first to take advantage of new protocols, including BIMI, to abuse them. Moreover, implementing lengthy procedures and multiple protocols sometimes fail to resolve the problem, as exemplified by the way forged emails manage to slip through the cracks of BIMI, SPF, and DKIM. For one, these protocols struggle with verifying emails that have been forwarded or mass-emailed, which large corporations rely on to communicate with their network. Due to the complicated nature of email security and its multifaceted problems, anticipatory and multi-layered defenses should be considered and put in place.
The Google BIMI Incident
Chris Plummer, a New Hampshire-based cybersecurity professional, set off the alert on BIMI’s implementation when he noticed an email in his Gmail inbox claiming to be from UPS. He noticed something off about the emails, and when he investigated, he discovered that it was a scam. An unnamed third-party service allowed bad actors to appear more trustworthy, leading to a scammer impersonating UPS convincingly. Plummer presented his finding to Google, but it was eventually lazy-dismissed. This prompted him to tweet his finding, which were seen 155,000 times, and Google had to apologize for the oversight and relook their infrastructure.
Microsoft’s Position
Jonathan Rudenberg, another security researcher, tackled the same issue using Microsoft 365 and got the same outcome. But, Microsoft responded that it was not its responsibility to mend the problem but Google‘s because it was their email system that was responsible for rejecting fake messages.
Editorial
The Google BIMI incident is a critical warning sign, reminding us that future cybersecurity protocols and strategies require the highest levels of security, using machine learning algorithms, AI, and blockchain to identify and stop cyber-attacks. Big tech companies such as Microsoft and Google should prioritize network security and be proactive in addressing potential security flaws before hackers exploit them. It is also crucial to work together as a community to develop anticipatory measures that will ensure email security protocols remain effective.
Advices
End-users can minimize risk by verifying emails received with DomainKeys Identified Mail (DKIM). Otherwise, it’s critical to double-check the source of any emails received, especially if containing links or attachments. Currently, email security cannot be 100% guaranteed, making it necessary to adopt multi-layered security networks and anticipate significant risks by improving the existing protocols. Until email providers and tech companies adopt more comprehensive security measures to identify new cyber threats, users have to remain vigilant in phishing scams that masquerade as trusted brands.
<< photo by Vlada Karpovich >>
You might want to read !
- The Power of Location Intelligence in the Fight Against Disinformation
- Australia’s Cybersecurity Strategy Needs a Comprehensive Review to Tackle Emerging Threats, Rather Than Imposing Bans on Social Media Apps
- “Meta Reveals Extensive Social Media Cyber Espionage Campaigns Targeting South Asia”
- How Radiflow’s CIARA 4.0 Offers an Effective Solution for OT Cybersecurity Management in Industrial Facilities
- Unpacking the Cyber Essentialism Myth: How ‘Doing Less With Less’ Can Actually Enhance Security.
- The Art of Prioritization: How to Stay Focused on What’s Important
- How an individual’s tweet led Google to change its email authentication?
- The Emerging Threat of Deepfake-based Sextortion Scams
- The Cost of Neglect: Microsoft’s $425M Payment for LinkedIn GDPR Violations
- “The Risks and Challenges of Hacking the Moonlighter Satellite”
