‘Priority P1’ alert by Google: Gmail spoofing can be a scam affecting you

Cyber security expert Chris Plummer expressed his concerns on Twitter, stating that he had informed Google about the security flaw using their bug bounty program. Google initially rejected his report, claiming it was an intended feature, not a bug. 

Plummer was disappointed with Google’s response, as he believed that scammers could convincingly impersonate legitimate entities, such as UPS, by exploiting Gmail’s trusted authentication. 

There is most certainly a bug in Gmail being exploited by scammers to pull this off, so I submitted a bug which @google lazily closed as “won’t fix – intended behavior”. How is a scammer impersonating @UPS in such a convincing way “intended”. pic.twitter.com/soMq7KraHm

— plum (@chrisplummer) June 1, 2023

He highlighted that the fraudulent email he received had passed through various platforms, including 

• Facebook, 
• A UK netblock, and 
• O365, making it appear legitimate. 

Plummer also shared the email headers, which revealed that the spoofed message had failed the Sender Policy Framework (SPF) authentication process.

After Plummer’s tweet gained significant attention, Google’s security team reached out to him, expressing a change of heart regarding his bug bounty claim. They acknowledged that upon further examination, the issue seemed not a generic SPF vulnerability. As a result, they decided to reopen the investigation and assigned a specialized team to investigate the situation more thoroughly.

Google’s response 

“We deeply apologize for any confusion caused, and we understand that our initial response may have been frustrating. We truly appreciate your persistence in urging us to investigate further. Thank you so much for that!”

Plummer shared a screenshot revealing that Google had assigned the investigation a “Priority P1” status.

Source: Google

In response to Plummer’s posts, a Twitter user pointed out that the issue stemmed from the fact that the primary domain of UPS had an SPF record. Still, the scammer bypassed that protection by utilizing a related subdomain.

“The subdomain doesn’t have an SPF record, and SPF is not designed to be inherited by subdomains. Perhaps this loophole exists because they’re using a subdomain.”

Source: 4sysops

Another Twitter user commented that the email complies with BIMI because it met the Domain Message Authentication Reporting and Conformance (DMARC) authentication method requirements.

Source: Gov.UK

“It passed DMARC because UPS uses Microsoft for email (and it’s included in their SPF record), so you just need to send it from any Microsoft account.”

A different commenter mentioned, “Gmail can’t fix the fact that [Microsoft] knowingly delivered an email that it KNEW failed SPF and DMARC.”

Is Google acting responsibly?

With every effort, Google also provided the following link for people wanting more information on DKIM. In addition, the spokesperson confirmed that a fix “will be fully rolled out by the end of the week.”

“This issue stems from a third-party security vulnerability allowing bad actors to appear more trustworthy than they are. To keep users safe, senders must use the more robust DomainKeys Identified Mail (DKIM) authentication standard to qualify for Brand Indicators for Message Identification (blue checkmark) status.

Ending thought

Google is under pressure to get it right now. This has allowed every intelligent scammer to achieve their non-decent motives. Trusting anyone is ultimately a danger now. When on a digital platform, one must always look with an eagle’s eye.