• Log In
  • Sign Up
  • Contact Us
PowerDMARC
  • Features
    • PowerDMARC
    • Hosted DKIM
    • PowerSPF
    • PowerBIMI
    • PowerMTA-STS
    • PowerTLS-RPT
    • PowerAlerts
  • Services
    • Deployment Services
    • Managed Services
    • Support Services
    • Service Benefits
  • Pricing
  • Power Toolbox
  • Partners
    • Reseller Program
    • MSSP Program
    • Technology Partners
    • Industry Partners
    • Find a partner
    • Become a Partner
  • Resources
    • DMARC: What is it and How does it Work?
    • Datasheets
    • Case Studies
    • DMARC in Your Country
    • DMARC by Industry
    • Support
    • Blog
    • DMARC Training
  • About
    • Our company
    • Clients
    • Contact us
    • Book a demo
    • Events
  • Menu Menu

Gmail Spoofing: Scammers Impersonate Gmail’s BIMI Identifiers

Blogs
Gmail-Spoofing.-Scammers-Impersonate-Gmail's-BIMI-Identifiers

A new security warning has been issued for Google’s 1.8 billion Gmail users due to a vulnerability in the Gmail BIMI authentication system. Scammers have exploited this security feature, putting users at risk. 

This article explores the discovery, mitigation efforts, and prevention methods related to recent Gmail’s security case, including the role of PowerDMARC in preventing spoofing attacks.

Discovery: Exploiting Gmail’s BIMI Identifiers

Gmail’s security has always been one of its biggest selling points, but recently a significant vulnerability has been discovered in one of its most important security features. 

Last month, Google introduced the Gmail’s BIMI checkmark system to help users distinguish between legitimate emails and those sent by impersonators running scams. 

However, scammers have found a way to exploit this system, putting Gmail’s 1.8 billion users at risk.

Introduced as a solution to combat phishing and impersonation attacks, the Gmail blue verified checkmark system highlights verified companies and organizations to users with a blue checkmark. 

The idea was to instill confidence in users and allow them to discern which emails are legitimate and which may have been sent by impersonators. Unfortunately, scammers have managed to manipulate the system.

Mitigation: Google Acknowledges the Issue

Gmail’s security, cybersecurity engineer Chris Plummer was the first to spot the scammers’ manipulation of the Gmail BIMI 

system. By tricking Gmail into recognizing their fake brands as legitimate, scammers could bypass the system’s intended purpose of instilling user confidence. 

Plummer immediately reported his findings to Google, expecting a swift response to address the vulnerability. However, Google initially dismissed his discovery as “intended behavior,” causing frustration among security experts and users alike.

Thanks to the attention generated by Plummer’s tweets and the subsequent viral spread of the issue, Google soon recognized the severity of the problem. The company acknowledged the error and categorized it as a top-priority fix. 

In a statement to Plummer, the Gmail’s security Team expressed gratitude for his persistence in raising awareness about the issue. They assured him and the user community that the appropriate team was resolving the vulnerability.

Prevention: Working Towards a Solution

Gmail’s security team is actively addressing the flaw in the Gmail’s BIMI authentication system. They have apologized for the confusion caused and expressed their commitment to resolving the issue promptly. 

The fix is currently in progress, and Gmail’s security team aims to keep users informed about their assessment and the direction they take to resolve the problem. While waiting for the fix, Gmail users must remain vigilant and exercise caution when dealing with suspicious emails.

Update: Understanding the Scope of the Issue

Recent developments investigating the Gmail’s logo verification system have shed light on how scammers exploit it and its implications for other email services. 

Jonathan Rudenberg, a debugger in Gmail’s security team, has successfully replicated the hack on Gmail and highlighted that other major email services are also vulnerable to similar attacks. 

This revelation has raised concerns within the security community about the vulnerability and poor implementation of the Gmail verification method.

Rudenberg discovered that Gmail’s Brand Indicators for Message Identification (BIMI) implementation only requires Sender Policy Framework (SPF) to match, while the DomainKeys Identified Mail (DKIM) signature can be from any domain. 

This misconfiguration allows any shared or misconfigured mail server in a BIMI-enabled domain’s SPF records to become a vector for sending spoofed messages with the full BIMI treatment in Gmail.

Further investigations into BIMI implementations on other major email services have revealed the following:

  • iCloud properly checks that DKIM matches the From domain.
  • Yahoo only attaches BIMI treatment to bulk sends with a high reputation.
  • Fastmail is vulnerable but supports Gravatar and uses the same treatment for both, minimizing the impact.
  • Apple Mail + Fastmail is vulnerable to dangerous treatment.

These findings highlight the need for enhanced security measures across multiple email services to prevent scammers from exploiting vulnerabilities.

Update: Google’s Response and Immediate Action

Google’s press team has provided further details on the Gmail verification hack. The issue stems from a third-party security vulnerability that allows bad actors to appear more trustworthy than they are. 

To ensure user safety, Google now requires senders to use the more robust DomainKeys Identified Mail (DKIM) authentication standard to qualify for Brand Indicators for Message Identification (blue tick) status. 

DKIM provides a stronger level of authentication and helps prevent spoofing attacks.

Google has assured users that a fix addressing the vulnerability will be fully rolled out by the end of the week. This issue’s swift identification and resolution demonstrate Google’s commitment to user security. 

However, it is worth noting that Google must take responsibility for building a verification system on top of an easily exploitable third-party service. Several observers have highlighted this point, emphasizing the need for a watertight verification system to maintain user trust and safety.

Spoofing and PowerDMARC: Protecting Against Attacks

Spoofing is a technique commonly employed by scammers and hackers to deceive users into believing that an email is from a legitimate source. Spoofed emails can have devastating consequences, including financial loss and compromised personal information. Preventing spoofing attacks requires robust email authentication measures.

One such solution is PowerDMARC, a comprehensive email security platform that offers advanced protection against spoofing attacks. 

PowerDMARC implements industry-standard email authentication protocols such as DMARC (Domain-based Message Authentication, Reporting, and Conformance), SPF (Sender Policy Framework), and DKIM (DomainKeys Identified Mail). These protocols work together to verify the authenticity of emails and prevent unauthorized senders from spoofing legitimate domains.

By implementing PowerDMARC, organizations can significantly reduce the risk of spoofing incidents and protect their users from scams and phishing attempts. 

PowerDMARC provides real-time email authentication and reporting, allowing organizations to monitor their email ecosystem, identify unauthorized senders, and take immediate action to mitigate risks.

Conclusion: Prioritizing Security in the Face of Evolving Threats

The recent Gmail’s security warning regarding the vulnerability highlights the importance of staying vigilant in the face of evolving threats. 

While Google is actively working on fixing the vulnerability, users must exercise caution and employ additional security measures to protect themselves from potential scams. 

By leveraging PowerDMARC, organizations can strengthen their email security and ensure a safer digital environment for their users. Stay alert, think critically, and prioritize security in all your email interactions.

Gmail spoofing

  • About
  • Latest Posts
Ahona Rudra
Digital Marketing & Content Writer Manager at PowerDMARC
Ahona works as a Digital Marketing and Content Writer Manager at PowerDMARC. She is a passionate writer, blogger, and marketing specialist in cybersecurity and information technology.
Latest posts by Ahona Rudra (see all)
  • How to Protect Your Passwords from AI - September 20, 2023
  • What are Identity-based Attacks and How to Stop Them? - September 20, 2023
  • What is Continuous Threat Exposure Management (CTEM)? - September 19, 2023
June 21, 2023/by Ahona Rudra
Tags: gmail bimi vulnerability, Gmail spoofing, spoofing attack
Share this entry
  • Share on Facebook
  • Share on Twitter
  • Share on WhatsApp
  • Share on LinkedIn
  • Share by Mail
You might also like
powerdmarc stepsStop Email Spoofing in 3 Steps: Configure, Enforce & Monitor

Secure Your Email

Stop Email Spoofing and Improve Email Deliverability

15-day Free trial!


Categories

  • Blogs
  • News
  • Press Releases

Latest Blogs

  • How-to-protect-your-Password-from-AI
    How to Protect Your Passwords from AISeptember 20, 2023 - 1:12 pm
  • What are Identity-based attacks and how to stop them_
    What are Identity-based Attacks and How to Stop Them?September 20, 2023 - 1:03 pm
  • Gmail spoofing
    What is Continuous Threat Exposure Management (CTEM)?September 19, 2023 - 11:15 am
  • What-are-DKIM-Replay-Attacks-and-How-to-Protect-Against-Them
    What are DKIM Replay Attacks and How to Protect Against Them?September 5, 2023 - 11:01 am
logo footer powerdmarc
SOC2 GDPR PowerDMARC GDPR comliant crown commercial service
global cyber alliance certified powerdmarc csa

Knowledge

What is Email Authentication?
What is DMARC?
What is DMARC Policy?
What is SPF?
What is DKIM?
What is BIMI?
What is MTA-STS?
What is TLS-RPT?
What is RUA?
What is RUF?
AntiSpam vs DMARC
DMARC Alignment
DMARC Compliance
DMARC Enforcement
BIMI Implementation Guide
Permerror
MTA-STS & TLS-RPT Implementation Guide

Tools

Free DMARC Record Generator
Free DMARC Record Checker
Free SPF Record Generator
Free SPF Record Lookup
Free DKIM Record Generator
Free DKIM Record Lookup
Free BIMI Record Generator
Free BIMI Record Lookup
Free FCrDNS Record Lookup
Free TLS-RPT Record Checker
Free MTA-STS Record Checker
Free TLS-RPT Record Generator

Product

Product Tour
Features
PowerSPF
PowerBIMI
PowerMTA-STS
PowerTLS-RPT
PowerAlerts
API Documentation
Managed Services
Email Spoofing Protection
Brand Protection
Anti Phishing
DMARC for Office365
DMARC for Google Mail GSuite
DMARC for Zimbra
Free DMARC Training

Try Us

Contact Us
Free Trial
Book Demo
Partnership
Pricing
FAQ
Support
Blog
Events
Feature Request
Change Log
System Status

  • Français
  • Dansk
  • Nederlands
  • Deutsch
  • Русский
  • Polski
  • Español
  • Italiano
  • 日本語
  • 中文 (简体)
  • Português
  • Norsk
  • Svenska
  • 한국어
© PowerDMARC is a registered trademark.
  • Twitter
  • Youtube
  • LinkedIn
  • Facebook
  • Instagram
  • Contact us
  • Terms & Conditions
  • Privacy Policy
  • Cookie Policy
  • Security Policy
  • Compliance
  • GDPR Notice
  • Sitemap
Fortifying Customer Security: Advantage’s MSP Journey with PowerDMARCFortifying-Customer-Security.-Advantage's-MSP-Journey-with-PowerDMARCThe Role of DKIM in Email MarketingThe Role of DKIM in Email Marketing
Scroll to top