Google stated last month that Gmail users would start noticing blue tick marks next to brand logos for senders taking part in the program's Brand Indicators for Message Identification. BIMI and its blue tick mark were intended to take a stand against email impersonation and phishing by giving clients further assurance that branded senders are who they say they are.
Less than a month after the launch of BIMI, scammers managed to get beyond its security measures and successfully impersonate companies, sending emails to Google users that claimed to be from the logistics firm UPS.
Now Google claims that it is tightening its BIMI verification procedure and is blaming an unknown "third-party" for enabling the usage of its services in ways that evaded its security protections and sent faked messages to inboxes. The eye-watering intricacy of the contemporary email environment is demonstrated by the fact that experts claim email providers, including Microsoft, may still be facilitating this kind of behaviour and are not doing enough to solve it.
Security researchers argue that the way BIMI is being used makes it possible for bad actors to use the system to more effectively spoof well-known businesses, increasing the likelihood that end users may click on a malicious link or open a dubious attachment as part of a phishing assault.
According to the 2023 Verizon Data Breach Investigations Report, phishing accounts for about half of all social engineering attacks and causes tens of millions of dollars in losses each year. A number of protocols, including SPF, DKIM, and others, have been implemented over time to solve email sender verification, but these protocols are insufficient answers that deal with diverse facets of a complicated issue.
By displaying in Gmail the "validated logos" of participating brands and "increasing confidence in the source of emails for recipients," BIMI was developed by an industry working group in 2018 and first adopted by Google in July 2021.
The company stated this in its roll-out. The concept was that by requiring the DMARC, SPF, or DKIM email authentication standards, BIMI would provide brand senders an extra level of recognition and confidence.
It's not surprising that scammers are targeting BIMI, according to Alex Liu, a cybersecurity expert and PhD candidate at the University of California, San Diego, who has investigated the flaws in email verification systems. According to Liu, historically, con artists have been the first to adopt new protocols. She added that it is now the responsibility of companies like Microsoft to secure their mail servers and make sure that BIMI isn't misused.
The controversy over how BIMI is being implemented started with a series of tweets from Chris Plummer, a cybersecurity expert from New Hampshire, who called Google's BIMI implementation potentially "catastrophic" and warned that it could increase the likelihood that users will act on the contents of a message that has been incorrectly verified.
“It was clear in the headers of the message I received that there was some obvious subversion, and Google was not looking far enough back in the delivery chain to see that,” Plummer stated.
In a study released earlier this year, Liu and a group of co-authors described how mechanisms designed to stop the spoofing of sender domains struggle when confronted with emails that have been forwarded, a technique frequently used by major organisations that rely on BIMI to send bulk emails.
Plummer discovered the BIMI vulnerability after receiving an email appearing to be from UPS in his Gmail inbox. Something didn't feel right, he told a local news source, and Plummer confirmed that the email was not from UPS. On May 31, he filed a bug complaint with Google, but the firm "lazily" closed it as "won't fix - intended behaviour," Plummer tweeted. "How is a scammer impersonating @UPS in such a convincing way 'intended,'" Plummer wrote in the tweet, which has since been viewed almost 155,000 times.
“The sender found a way to dupe @gmail’s authoritative stamp of approval, which end users are going to trust,” Plummer explained in a subsequent tweet. “This message went from a Facebook account, to a UK netblock, to O365, to me. Nothing about this is legit. Google just doesn’t want to deal with this report honestly.”
The next day, after Plummer filed an appeal, Google switched direction and informed him that it was reviewing his report again. "Thank you so much for pressing on for us to take a closer look at this!" a company wrote in a note, designating the bug a "P1" priority.
“This issue stems from a third-party security vulnerability allowing bad actors to appear more trustworthy than they are,” a Google spokesperson told CyberScoop, a cybersecurity news portal, in an email Monday. “To keep users safe, we are requiring senders to use the more robust DomainKeys Identified Mail (DKIM) authentication standard to qualify for Brand Indicators for Message Identification (blue checkmark) status.”
According to a Google representative, the DKIM requirement should be fully implemented by the end of the week. This is a change from the previous policy, which demanded either DKIM or a different standard called the Sender Policy Framework. Both of these standards are used by email providers, among other things, to determine whether incoming email is likely to be spam and to theoretically authenticate that a sender is who they claim to be. Google appreciates Plummer's efforts to draw their notice to the issue, the spokeswoman continued.
Jonathan Rudenberg, a security researcher, reproduced the BIMI problem using Microsoft 365 by sending counterfeit emails from a Microsoft email system to a Gmail account after Plummer first brought it to their attention on Twitter. Rudenberg then filed a bug report with Microsoft.
Microsoft, meanwhile, maintains that it is Google's obligation to resolve the issue, not its own. In response to Rudenberg's bug report, Microsoft's Security Response Centre informed Rudenberg that the problem did not pose an immediate threat that requires urgent attention and that the "burden" of guaranteeing security rests with the end-user's email provider, in this case, Google.