{"id":13892,"date":"2018-11-21T11:10:03","date_gmt":"2018-11-21T19:10:03","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2018\/11\/21\/news-7659\/"},"modified":"2018-11-21T11:10:03","modified_gmt":"2018-11-21T19:10:03","slug":"news-7659","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/11\/21\/news-7659\/","title":{"rendered":"Spoofed addresses and anonymous sending: new Gmail bugs make for easy pickings"},"content":{"rendered":"

Credit to Author: Jovi Umawing| Date: Wed, 21 Nov 2018 17:53:50 +0000<\/strong><\/p>\n

Tim Cotten<\/a>, a software developer from Washington, DC, was responding to a request for help from a female colleague last week, who believed that her Gmail account has been hacked, when he discovered something phishy<\/a>. The evidence presented was several emails in her\u00a0Sent<\/em> folder, purportedly sent by her to herself.<\/p>\n

Cotten was stunned when, upon initial diagnosis, he found that those sent emails didn\u2019t come from her account but from another, which Gmail\u2014being the organized email service that it is\u2014only filed away in her Sent<\/em> folder. Why would it do that if the email wasn’t from her? It seems that while Google’s filtering and organizing technology worked perfectly, something went wrong when Gmail tried to process the emails’\u00a0From<\/em> fields.<\/p>\n

This trick is a treat for phishers<\/h3>\n

Cotten noted in a blog post<\/a> that the From<\/em> header of the emails in his coworker’s\u00a0Sent<\/em> folder contained (1) the recipient\u2019s email address and (2) another text\u2014usually a name, possibly for increased believability. The presence of the recipient\u2019s address caused Gmail to move the email to the Sent<\/em> folder while also disregarding the email address of the actual sender.<\/p>\n

\"\"<\/p>\n

Weird “From” header. Screenshot by Tim Cotten, emphasis (in purple) ours.<\/em><\/p>\n<\/div>\n

Why would a cybercriminal craft an email that never ends up in a victim’s inbox? This tactic is particularly useful for a phishing campaign that banks on the recipient\u2019s confusion.<\/p>\n

\u201cImagine, for instance, the scenario where a custom email could be crafted that mimics previous emails the sender has legitimately sent out containing various links. A person might, when wanting to remember what the links were, go back into their sent folder to find an example: disaster!\u201d wrote Cotten.<\/p>\n

Cotten provided a demo for Bleeping Computer<\/a> wherein he showed a potentially malicious sender spoofing the From<\/em> field by displaying a different name to the recipient. This may yield a high turnover of victims if used in a business email compromise<\/a> (BEC)\/CEO fraud campaign, they noted.<\/p>\n

After raising an alert about this bug, Cotten unknowingly opened the floodgates for other security researchers to come forward with their discovered Gmail bugs. Eli Grey<\/a>, for example, shared the discovery of a bug in 2017<\/a> that allowed for email spoofing, which has been fixed in the web version of Gmail but remains a flaw in the Android version. One forum commenter\u00a0claimed<\/a> that the iOS Mail app also suffers from the same glitch.<\/p>\n

Another one stirs the dust<\/h3>\n

Days after publicly revealing the Gmail bug, Cotten discovered another flaw wherein malicious actors can potentially hide sender details in the From<\/em> header by forcing Gmail to display a completely blank field.<\/p>\n

\"\"<\/p>\n

Who’s the sender? Screenshot by Tim Cotten, emphasis (in purple) ours.<\/em><\/p>\n<\/div>\n

He pulled this off by replacing a portion of his test case with a long and arbitrary code string, as you can see below:<\/p>\n

\"\"<\/p>\n

The string. Screenshot from\u00a0Tim Cotten, emphasis (in purple) ours.<\/em><\/p>\n<\/div>\n

Average Gmail users may struggle to reveal the true sender because clicking the Reply<\/em> button and the \u201cShow original\u201d option still yields a blank field.<\/p>\n

\"\"<\/p>\n

Screenshot by Tim Cotten, emphasis (in purple) ours.<\/em><\/p>\n<\/div>\n

\"\"<\/p>\n

There’s nothing there! Screenshot by Tim Cotten, emphasis (in purple) ours.<\/em><\/p>\n<\/div>\n

Missing sender details could potentially increase the possibility of users opening a malicious email to click an embedded link or open an attachment, especially if it contains a subject that is both actionable and urgent.<\/p>\n

When met with silence<\/h3>\n

The Gmail vulnerabilities mentioned in this post are all related to user experience (UX), and as of this writing, Google has yet to address them. (Cotten has proposed<\/a> a possible solution for the tech juggernaut.) Unfortunately, Gmail users can only wait for the fixes.<\/p>\n

Spotting phishing attempts or spoofed emails can be tricky, especially when cybercriminals are able to penetrate trusted sources, but a little vigilance can go a long, long<\/em> way.<\/p>\n

The post Spoofed addresses and anonymous sending: new Gmail bugs make for easy pickings<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Jovi Umawing| Date: Wed, 21 Nov 2018 17:53:50 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
This isn\u2019t the first time that Gmail, an email service used by billions, is found to have flaws. One security researcher discovered two in less than a week; another revealed a weakness that still leaves Android users open to phishing.<\/p>\n

Categories: <\/p>\n