Recently, Google started testing a new feature for Gmail, which allows certain companies to present a check mark next to their name – which validates that an email message was truly sent by that entity.
However, it appears that there is a flaw in the system that is now being exploited by some spam sources. According to security researcher Chris Plummer, there are sources of spam that are able to send false messages from certain entities, receiving the verified signal next to the Gmail inboxes.
There is most certainly a bug in Gmail being exploited by scammers to pull this off, so I submitted a bug which @google lazily closed as “won't fix – intended behavior”. How is a scammer impersonating @UPS in such a convincing way “intended”. pic.twitter.com/soMq7KraHm
— plum (@chrisplummer) June 1, 2023
In the researcher's example, he indicated that the spam was impersonating the UPS delivery company, and the message appeared in the users' inbox with a check mark next to the name, indicating that it was sent by the correct domain and server of the entity – when, in fact, it had not been.
Plummer claims that he contacted Google about the problem, but was ignored, thus making the case public.
It should be remembered that this verification system validates the addresses of senders through the functionalities BIMI (Brand Indicators for Message Identification), VMC (Verified Mark Certificate) and DMARC (Domain-based Message Authentication, Reporting, and Conformance), which normally should be enough to ensure that an email is sent from the correct domain.
In response to the problem, Google has confirmed that there really is a flaw in the system, which is currently being investigated – after it was initially ignored when the researcher contacted the company. Only after the case gained prominence on social media did the company decide to act.
