New Gmail Feature Leaves Millions Of Email Users Open To Attack
The introduction of end-to-end encryption to Google's Gmail platform has left millions of email users vulnerable to a new type of attack. With nearly 2 billion users, Gmail is the most popular email service in the world, and its massive user base makes it an attractive target for hackers, scammers, and cybercriminals.
Google announced that it would be rolling out end-to-end encryption to all enterprise users as part of the 21st birthday celebrations of Gmail. The feature allows businesses to send encrypted emails to any Gmail user with just a few clicks. However, this new feature also brings a risk of attack that could spread beyond just those using Gmail.
The issue lies in the way the encryption service works. When an email is sent to a non-Gmail user, it gets automatically decrypted in their inbox. But if the recipient isn't a Gmail user, they are presented with an invitation to view the email within a restricted version of Gmail, using a Google Workspace guest account.
"Be careful when signing in to view this encrypted message," says a warning that will be added to the encrypted email invitations sent to non-Gmail users. "This message is from an external sender and is encrypted. Make sure you trust the sender and their identity provider before entering your username and password."
The Risks of End-To-End Encryption
Experts warn that end-to-end encryption can be used by scammers to trick users into revealing sensitive information.
"In this case, DKIM won't flag the message," says Ross Richendrfer, a Gmail spokesperson. "But other controls responsible for content detection and filtration should still assess the message content."
Richendrfer advised that Google has rolled out updated security measures to counter the techniques used by the Gmail Subpoena threat actor in these highly targeted attacks.
The PayPal Phishing Scam
PayPal users have also been caught out in a similar way. In February, I reported on a phishing scam that targeted PayPal users, using a genuine and authenticated PayPal email address of service@paypal.com.
The trick was to use a gift address that had been added to a genuine account in order to generate the email text, which could be edited by the attacker at a later date. The email headers showed that the emails were sent to a no-reply address and were then being forwarded to a mailing list that contained the addresses of the victims in the sting.
The Warning
Google has added this warning to the encrypted email invitations that will be sent to non-Gmail users: "Be careful when signing in to view this encrypted message. This message is from an external sender and is encrypted. Make sure you trust the sender and their identity provider before entering your username and password."
The Importance of Caution
Experts stress that any email platform is exposed to phishing attacks, with scammers using fraudulent alerts and malicious links to entrap victims.
"PayPal takes seriously our efforts to protect customers from evolving scams and fraud activity, including this common phishing scam," says a PayPal spokesperson. "We encourage customers to always remain mindful online and to visit PayPal.com for additional tips on how to protect themselves."