BIMI, Gmail ‘s email verification program , demonstrates a flaw.
Cybercriminals are abusing a bug in Gmail to use the blue verification badge to impersonate real companies to scam users by taking advantage of the trust this badge provides.
Google implemented these blue badges in May to indicate that the sender brand of an email in its Gmail service is legitimate and not an impersonation to spread spam or defraud users.
To identify which senders are legitimate, Gmail uses its system of identification marks (BIMI, for its acronym in English). With this technology, it not only verifies the identity of an organization, but also requires strong authentication, in order to display the brand logo as an avatar in the mail.
Error in Gmail
However, some malicious actors are taking advantage of a bug in this Gmail verification functionality , and have managed to use the blue badge to impersonate real organizations and trick users into scamming them or getting their personal details.
There is most certainly a bug in Gmail being exploited by scammers to pull this off, so I submitted a bug which @google lazily closed as “won’t fix – intended behavior”. How is a scammer impersonating @UPS in such a convincing way “intended”. pic.twitter.com/soMq7KraHm
— plum (@chrisplummer) June 1, 2023
This has been pointed out by the cybersecurity expert Chris Plummer through a publication on Twitter , in which he shares a personal case of this Gmail failure . As he shows, it is a fake email from the UPS package transport company , in which both the blue verification icon and the UPS logo avatar appear .
However, it can be recognized that it is a fake sender since the email address is suspicious and has no relationship with the shipping company. “The sender found a way to trick Gmail ‘s authorized seal of approval ,” says the cybersecurity researcher.
After identifying this bug, Chris Plummer escalated the issue to Google who, at first glance, did not identify it as a bug and actually labeled it as “intended behavior”.
However, some time later, Google ended up acknowledging the problem, claiming that “it does not appear to be a generic SPF vulnerability”, so it reported that they would proceed to “take a closer look at what is happening”. In this sense, the technological giant apologized for “the confusion” and appreciated the effort to recognize this vulnerability.
Until Google finds a fix for this bug, it’s a good idea to check the sender’s address and see if it’s a legitimate organization.