The cybercriminals are abusing of a gmail error for use the blue verification badge and impersonate real companies for cheat users by taking advantage of the trust offered by this badge.
Google implemented these badges blue in the month of may in order to indicate that the mark sender of an email in your Gmail service is legitimate and this is not an impersonation to spread spam or defraud users.
We recommend you: WhatsApp works to have its native application on iPad
For identify which senders are legitimate Gmail use your system brand identification (BIMI). With this technology, it not only verifies the identity of an organization, but also also requires strong authenticationin order to show the brand logo as an avatar in the mail.
However, some malicious actors they’re taking advantage of a mistake in this verification functionality and got to use the badge blue for impersonate of real organizations and cheat users to scam them or get their personal data.
so it said the cybersecurity expert, chris plummerthrough a post on Twitter, in which share a personal case of this Gmail bug. As shown, it it’s a fake email from the company of UPS package transportationin which both the icon of blue check as the UPS logo avatar.
However, it can recognize that it is a fake sender since the address of email is suspicious and has no relation to the transport company. “The sender found a way to cheat the authorized stamp approval of Gmail”, says the cybersecurity researcher.
After identifying this bug, chris plummer escalated the problem to Google who, first glance I don’t identified as a mistake and, in fact, he called it a “intended behavior”.
However, some time later Google ended up acknowledging the problem claiming that it “does not appear to be a generic SPF vulnerability”, so informed that they would proceed to “take a closer look at what is happening”. In this sense, the tech giant apologized for “the confusion” and appreciated the effort for recognizing this vulnerability.
Take a look: Careful! WhatsApp job offer message could be a scam
Until google find a solution for this ruling, recommend checking the address of the sender and check if it is a legitimate organization.