Scammers duping Gmail’s verification checkmark system
Cybersecurity researchers Chris Plummer discovered a Gmail bug that lets malicious actors masquerade as verified companies to scam users, according to his post on Twitter.
In a post on Twitter, Plummer berated Google for seemingly showing no interest in addressing the issue.
“Nothing about this is legit,” he said. “Google just doesn’t want to deal with this report honestly.”
Plummer said he received an email from a supposedly-verified United Postal Service (UPS) email address that “went from a Facebook account to a UK netblock, to O365” to his inbox.
The email was a scam attempt, and the sender’s contact — [email protected] — featured the blue verification checkmark and the UPS logo.
“The sender of this email has verified that they own kelerymjrlnra.ups.com and the logo in the profile picture,” the verification message reads.
He expressed frustration at Google’s security team, who apparently denied any problem and responded “won’t fix — intended behaviour” when Plummer submitted the bug.
However, Google appears to have changed its tune. Plummer shared a more recent response he received from the Alphabet-owned company.
“After taking a closer look we realised that this indeed doesn’t seem like a generic SPF [sender policy framework] vulnerability. Thus we are reopening this and the appropriate team is taking a closer look at what is going on,” it said.
“We apologise again for the confusion and we understand our initial response might have been frustrating, thank you so much for pressing on for us to take a closer look at this!”
Now read: Cyberattack onslaught feared after popular file transfer software gets hacked
Loading ...