Security researchers warn that Gmail delivers spoofed emails without even warning users of any suspicious activity.
Unlike spam emails which are usually used for delivering malicious documents or links to unsuspecting users, spoofed emails have a bigger chance of luring potential victims. This is due to the fact that these messages are likely to click on a link or open a document coming from what they believe is a trusted sender.
As the sender of spoofed emails is usually impersonated or changed to another, the messages look like legitimate ones.
Despite the users’ expectations Gmail to warn them of the suspicious activity, the experts from Morphus Segurança da Informação have found that sometimes this doesn’t actually happen. Thus, users are advised to reconsider their trust in Gmail blocking messages with spoofed senders, even when there is no alert regarding the legitimacy of the particular message.
“We realized that a message that appears in your Gmail inbox folder even with an important sign, coming from one of your Gmail contacts with no spoof or security alert, may have been forged and impersonated by a fraudster or cybercriminal,” Renato Marinho, the Director at Morphus Segurança da Informação states.
In addition, Marinho says that the Simple Mail Transfer Protocol (SMTP) defines the “mail envelop and its parameters, such as the message sender and recipient,” and not the message content and headers. For that reason, a SMTP transaction includes Mail From (establishes the return address in case of failure), Rcpt to (the recipient address), and Data (a command for the SMTP server to receive the content of the message).
Usually, the value “From” displayed in the email is equivalent to the value used in the SMTP command “mail from” but, as it is part of the message content, “can be freely specified by the system or person issuing commands to the SMTP server.”
In other words, a hacker only should change the “From” to a desired value to spoof the sender, but that is almost certainly going to trigger anti-spam or anti-phishing mechanisms, Marinho adds.
Nevertheless, the hackers could also try to send spoofed messages on behalf of a certain domain by changing the “Mail from:” SMTP command as well, a practice which can be combated by applying spoofing protection mechanisms. One of these, SPF (Sender Policy Framework) allows admins to specify the IP addresses of the mail servers that are allowed to send e-mail messages on behalf of their domain.
In order to check if these protections work, the security experts decided to test the spoofing of Gmail and Yahoo addresses. The researchers found that, if the SMTP server’s IP address wasn’t allowed in the SPF policy of their generic domain, the message wouldn’t be delivered. Nevertheless, when a SPF policy was in place, the message was delivered in Gmail, albeit Yahoo continued to block it.
According to the security experts, the fact that the email was received in the Inbox folder, and not in the Spam folder was even more surprising. Also, there was almost no indication that the message wasn’t legitimate, except for a “via [the generic domain]” mention near the sender’s address. However, this mention isn’t displayed in the Android or iOS applications, and appears in the web interface only.
After successfully spoofing messages between @gmail.com accounts, the experts attempted to apply the strategy to corporative domains hosted by Google. The researchers found that not only the messages were delivered without a warning, but that the spoofed account profile picture was also delivered (which could easily add a sense of legitimacy to the message).
“During our experiments, we’ve found a curious scenario in which Gmail detects the spoofed message. It happened when we tried to spoof an address that apparently does not exists on Gmail user base. In this situation, unlike the successful scenarios, Gmail forwarded the message to Spam folder and adds a special security alert informing that they could not verify if the message was really sent by gmail.com,” the security expert claims.
In order to stay protected, PC users are advised to pay attention to messages in their inbox coming from “@gmail.com” via another server, because they should usually be delivered by Gmail.
Users should also have a look at the message details, which ware available in the web application, by clicking on the “down-arrow” near “to me”. However, a spoofed message is more likely to be noticed if the full header is examined.
The experts got in touch with the Google Security team to report the findings, but it is not certain that the bug will be tracked as a security issue.
“Although it has not been considered a security bug, in our opinion, it would be better if Gmail could at least adopt the same behavior we saw when trying to spoof a non-existing Gmail account,” Renato Marinho states.