Security experts are warning Gmail users about a new wave of scam messages that are easy to fall for. The threat was discovered by email security firm Avanan, who spotted almost 30,000 scam messages sent to Gmail accounts in just two weeks during April. However, there’s one especially devious thing about this new con which makes it easier to fall for.
Usually with email scams, there are a number of red flags which should immediately send alarm bells ringing.
One of the most obvious signs that a message you’ve received is not what it seems is that the email address the sender is using is clearly not linked to the organisation you’ve allegedly received an email from.
If you get a message purporting to be from a high-profile organisation but the sender’s address is a Gmail or Hotmail account then this is a clear sign the message is fake.
But, as Avanan has spotted, scammers have discovered a way to trick the system into displaying an email as being sent from a legitimate address.
Bad actors have managed to do this by abusing Google’s SMTP (Simple Mail Transfer Protocol) relay service. This is a service that organisations use for sending out mass emails, for instance marketing messages to a vast database of users.
However, as Avanan noted in their research online, bad actors have found a way to exploit this to send emails out that display an official-looking email address in the ‘from’ section of a message, but are actually being sent from a different email address.
Not only that, but the tricks hackers deploy mean the dangerous emails manage to evade spam detection systems.
Examples of high-profile companies that Avanan spotted being spoofed included Venmo (a US-based cash transfer app) and online workspace solutions provider Trello.
Outlining how the threat works, Avanan said: “An SMTP relay service can be a valuable service for organizations that like to send out mass emails. Many organisations offer this service. Gmail does as well, with the ability to route outgoing non-Gmail messages through Google.
“However, these relay services have a flaw. Within Gmail, any Gmail tenant can use it to spoof any other Gmail tenant. That means that a hacker can use the service to easily spoof legitimate brands and send out phishing and malware campaigns. When the security service sees avanan.com coming into the inbox, and it’s a real IP address from Gmail’s IP, it starts to look more legitimate.
READ MORE: Google Chrome users could be tempted by huge Firefox 100th update
“Starting in April 2022, Avanan researchers have seen a massive uptick of these SMTP Relay Service Exploit attacks in the wild, as threat actors use this service to spoof any other Gmail tenant and begin sending out phishing emails that look legitimate. Over a span of two weeks, Avanan has seen nearly 30,000 of these emails.”
Avanan explained that this attack can be carried out when the organisation a bad actor is trying to impersonate has set its DMARC policy to ‘none’.
DMARC, which stands for Domain-based Message Authentication, Reporting & Conformance, is an email authentication protocol which lets domain owners decide what action to take when an email is spoofing them. Strict DMARC policies are recommended by security experts as it helps stop bad actors from imitating domains.
Speaking to Bleeping Computer, a Google spokesperson said: “We have built-in protections to stop this type of attack. This research speaks to why we recommend users across the ecosystem use the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol. Doing so will defend against this attack method, which is a well-known industry issue.”