Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Gmail Delivers Spoofed Messages Without Warning, Researchers Find

Spoofed emails could easily land in user’s Gmail inboxes without even warning them of suspicious activity, security researchers have discovered.

Spoofed emails could easily land in user’s Gmail inboxes without even warning them of suspicious activity, security researchers have discovered.

While spam is normally used to deliver malicious documents or links to unsuspecting users, spoofed emails have a bigger chance of luring potential victims, because they are likely to click on a link or open a document coming from what they believe is a trusted contact. When it comes to spoofed messages, the sender is impersonated or changed to another, thus making messages appear legitimate.

Which users may expect Gmail to warn them of such suspicious activity, researchers at the Morphus Segurança da Informação recently discovered that this doesn’t always happen. According to them, users should revise the trust they have on Gmail blocking messages with spoofed senders, even when no alert is displayed regarding the legitimacy of that message.

“We realized that a message that appears in your Gmail inbox folder even with an important sign, coming from one of your Gmail contacts with no spoof or security alert, may have been forged and impersonated by a fraudster or cybercriminal,” Renato Marinho, Director at Morphus Segurança da Informação, explains.

Marinho explains that the Simple Mail Transfer Protocol (SMTP) defines the “mail envelop and its parameters, such as the message sender and recipient,” and not the message content and headers. Thus, a SMTP transaction includes Mail From (establishes the return address in case of failure), Rcpt to (the recipient address), and Data (a command for the SMTP server to receive the content of the message).

The value “From” displayed in the email is usually equivalent to the value used in the SMTP command “mail from” but, because it is part of the message content, “can be freely specified by the system or person issuing commands to the SMTP server.” Basically, an attacker simply needs to change the “From” to a desired value to spoof the sender, but that is almost certainly going to trigger anti-spam or anti-phishing mechanisms, Marinho explains.

However, attackers could also attempt to send spoofed messages on behalf of a certain domain by changing the “Mail from:” SMTP command as well, a practice that can be combated by applying spoofing protection mechanisms. Among them, SPF (Sender Policy Framework) allows admins to specify the IP addresses of the mail servers that are allowed to send e-mail messages on behalf of their domain.

To verify if these protections are effective, the security researchers decided to test the spoofing of Gmail and Yahoo addresses. They discovered that, if the SMTP server’s IP address wasn’t allowed in the SPF policy of their generic domain, the message wouldn’t be delivered. When a SPF policy was in place, however, the message was delivered in Gmail, albeit Yahoo continued to block it.

Advertisement. Scroll to continue reading.

Even more surprising, the researcher says, was that the message landed in the Inbox folder, and not in Spam. Further, there was almost no indication that the message wasn’t legitimate, except for a “via [the generic domain]” mention near the sender’s address. This mention, however, appears only in the web interface, but isn’t displayed in the Android or iOS applications.

After successfully spoofing messages between @gmail.com accounts, the researchers attempted to apply the strategy to corporative domains hosted by Google. They discovered not only that the messages were delivered without a warning, but that the spoofed account profile picture was also delivered (which could easily add a sense of legitimacy to the message).

“During our experiments, we’ve found a curious scenario in which Gmail detects the spoofed message. It happened when we tried to spoof an address that apparently does not exists on Gmail user base. In this situation, unlike the successful scenarios, Gmail forwarded the message to Spam folder and adds a special security alert informing that they could not verify if the message was really sent by gmail.com,” the researcher explains.

To stay protected, users are advised to pay attention to messages in their inbox coming from “@gmail.com” via another server, because they should normally be delivered by Gmail. They should also have a look at the message details, which ware available in the web application, by clicking on the “down-arrow” near “to me”. However, a spoofed message is more likely to be noticed if the full header is examined.

The researchers contacted Google Security team to report the findings, but the bug won’t be tracked as a security issue, it seems. “Although it has not been considered a security bug, in our opinion, it would be better if Gmail could at least adopt the same behavior we saw when trying to spoof a non-existing Gmail account,” Marinho says.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybercrime

Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

Proofpoint removes a formidable competitor from the crowded email security market and adds technology to address risk from misdirected emails.