Gmail users warned as new feature brings risk of attack.<\/p>\n
NurPhoto via Getty Images <\/p>\n
Update, April 27, 2025: This story, originally published April 25, has been updated with new information from security experts concerning Google alert impersonation attacks that target Gmail users and further advice to mitigate the Gmail encryption message threat to users of other email platforms. <\/p>\n
Love it or loathe it, with nearly 2 billion users, Google\u2019s Gmail platform cannot be ignored. That\u2019s certainly the case when it comes to hackers, scammers and cybercriminals of all types. They are drawn to the web-based email service like no other. All email platforms are targeted by criminals<\/a>, that\u2019s for sure, but Gmail has the biggest bullseye on its back courtesy of that user base. Sophisticated new Gmail threats are constantly being reported, while Google responds with security updates<\/a> to counter them. Some updates that have long been anticipated by eager users could, however, spread the risk of attack beyond just those folks using Gmail. That\u2019s the warning from one leading cybersecurity expert as Google introduces end-to-end encryption for Gmail<\/a>. Here\u2019s what you need to know.<\/p>\n ForbesFBI Says Do Not Click Anything As Hack Attacks StrikeBy Davey Winder<\/a><\/p>\n The Gmail Encryption Attack Threat Explained<\/p>\n Generally speaking, you would not talk about the addition of encryption to a platform as anything other than a blessing for those who value security and privacy. When Google announced<\/a> that it was bringing end-to-end encryption to all businesses, I was certainly excited, not least because it has been a long time coming. To coincide with the 21st birthday of Gmail, Google said it would be rolling out the ability for enterprise users \u201cto send E2EE messages to any user on any email inbox with just a few clicks.\u201d The process by which this encryption service works involves a kind of protective bubble that surrounds the email in question. So, what\u2019s the issue? Well, if you send such an encrypted email bubble to a Gmail user, then it gets automatically decrypted in their inbox, no problem there. If the recipient isn\u2019t a Gmail user, however, they are presented with an invite to view the email within a restricted version of Gmail, using a Google Workspace guest account.<\/p>\n As J\u00e9r\u00f4me Segura, the senior director of threat intelligence at Malwarebytes, told Wired<\/a>, \u201cusers might not yet be familiar with exactly what a legitimate invitation looks like, making them more susceptible to clicking on a fake one.\u201d<\/p>\n We already know how AI-powered phishing attacks are blurring the lines between reality and risk, and you can be sure that scammers will be looking for the best way to create fake invitations within a convincing threat campaign to gain access to the potential victim\u2019s email account credentials.<\/p>\n ForbesNew Security Warning After 1 Billion Windows Users Told Do Not DeleteBy Davey Winder<\/a><\/p>\n Google Impersonation Attacks Haunt Gmail Users<\/p>\n It\u2019s not just the addition of the end-to-end encryption feature that could enable malicious actors to attack email users while disguised as genuine Gmail communications. As I recently reported, Google impersonation is rife among those who would use trickery and guile to relieve you of your Gmail account credentials. What has become known as the Gmail Subpoena attack<\/a> employed trust in Google\u2019s own protections and platforms, sending a fake security alert from a genuine Google domain to bypass the strict DomainKeys Identified Mail authentication checks employed by Gmail. The email alert was sent from an absolutely legitimate \u201cno-reply@google.com\u201d address. What\u2019s more, Gmail even \u201chelpfully\u201d sorted it into the same conversation that contained other Google security alerts. The scam relied upon the apparent legitimacy of the email along with the sense of urgency and fear created by receiving notification that a supposed subpoena requiring Google to produce a copy of the Gmail account content had been served. The victim was advised that they could examine the subpoena itself or lodge a formal protest. The stinger being, of course, that doing either required them to follow the instructions given and that would lead them to fake Google support pages that, inevitably, would require an account security confirmation and ultimately, dear reader, account compromise.<\/p>\n James Shank, director of threat operations at Expel, warned at the time that there are scaling, performance, and legacy support issues to be taken into account whenever developers design security controls, and that includes the likes of DomainKeys Identified Mail authentication controls. You have to remember that these controls are \u201coptimized for a specific, intended task and should be implemented with the understanding of these constraints,\u201d Shank said. Which means that just because an email message passes DKIM authentication, that is no ironclad guarantee that it is safe. \u201cDKIM validation failure does indicate a problem,\u201d Shank conceded, \u201cbut the inverse, successful DKIM validation, doesn\u2019t necessarily mean the message is benign. \u201c<\/p>\n Whereas the security industry is it seems, always looking for definite signals to determine if something is either good or bad safe or dangerous, secure or insecure, there is a third state as seen with the whole DKIM authentication process. That state, Shank said, is \u201cit\u2019s valid in this very specific way.\u201d It\u2019s critical, therefore, Shank continued, that when determining any action you make sure protection actions are driven with the full context of what the security control states. \u201cIn this case, DKIM won’t flag the message,\u201d Shank said, \u201cbut other controls responsible for content detection and filtration should still assess the message content.\u201d<\/p>\n Gmail spokesperson Ross Richendrfer told me that Google has now rolled out updated security measures to counter the techniques used by the Gmail Subpoena threat actor in these highly targeted attacks.<\/p>\n ForbesLaw Enforcement Can Break 77% Of \u2018Three Random Word\u2019 PasswordsBy Davey Winder<\/a> Don\u2019t be fooled into thinking that it\u2019s just Gmail users who are subject to genuine domains being used in email-based attacks, as I reported<\/a> on February 24, PayPal users have been caught out in a very similar way.<\/p>\n Don\u2019t be fooled into thinking that it\u2019s just Gmail users who are subject to genuine domains being used in email-based attacks, as I reported on February 24, PayPal users have been caught out in a very similar way. As I said in the original article, getting an email from someone claiming to be PayPal and suggesting you\u2019ve added a new address to your account and purchased a MacBook M4 might appear to have all the hallmarks of a scam, but when that email originates from a genuine PayPal email domain things are not that clear cut. The phishing emails in question were, you see, sent from a quite genuine and authenticated PayPal email address of service@paypal.com.<\/p>\n In the case of the PayPal attacks, the trick was to use a gift address that had been added to a genuine account in order to generate the email text, to be edited by the attacker at a later date. The email headers in question showed that the emails were sent to a no-reply address and were then being forwarded to a mailing list that contained the addresses of the victims in the sting. Adding a scam address to PayPal generated a confirmation email sent to the address of the threat actor, which was then forwarded to the mailing list.<\/p>\n \u201cPayPal takes seriously our efforts to protect customers from evolving scams and fraud activity, including this common phishing scam,\u201d A PayPal spokesperson said. \u201cWe encourage customers to always remain mindful online and to visit PayPal.com for additional tips on how to protect themselves.\u201d<\/p>\n
\nGmail Not Alone In The Genuine Email Domain Attacks<\/p>\n