Security News > 2023 > June > Google changes email authentication after spoof shows a bad delivery for UPS

Google says it has fixed a flaw that allowed a scammer to impersonate delivery service UPS on Gmail, after the data-hoarding web behemoth labeled the phony email as authentic.

The problem stemmed from an issue in an email authentication program called Brand Indicators for Message Identification that aims to protect email users from brand spoofing and phishing attacks claiming to be from a trusted org.

BIMI, and email providers that support it - including Google - do this via email authentication standards: Sender Policy Framework, Domain-based Message Authentication, Reporting, and Conformance, and DomainKeys Identified Mail.

BIMI requires participating brands to adopt DMARC along with either SPF or DKIM. Google started supporting BIMI in July 2021, and it implemented the blue checks for verified senders last month.

Up until this week, Google also used BIMI's requirements for senders: DMARC alignment with either SPF or DKIM. It's since switched to DKIM after security architect Chris Plummer found a bug in SPF in late May. He spotted that an email purporting to be from a verified UPS sender - complete with the logistic giant's logo, and the Google-verified blue check - was a scam.

The spoof email, which managed to trick Google into thinking it originated from UPS, did not include a malicious payload, Plummer told The Register.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/06/09/google_bimi_email_authentication/