Beyond the verification on Twitter that has become the property of those who pay a subscription, a month ago Gmail integrated the verification badges with the cause that they should always have: to differentiate official accounts from unofficial ones. In this case, for companies. The play has gone backwards.
This measure was mainly implemented to avoid phishing, that is, that company names were used to try to defraud users. However, have managed to circumvent the system used by Google and some companies are being supplanted and now with the addition of blue verification.
Curling the loop of identity theft
The context of the appearance of this insignia, as we were saying at the beginning, is found in the Differences need to real companies from scammers. Not surprisingly, we receive many unwanted emails on a daily basis that, although they usually fall into the ‘spam’ folder, often slip into the inbox.
In these emails it claims to be a well-known company in order for the victim to believe it and follow its instructions, which range from downloading a malicious attachment to entering an external link in which they ask us for personal data and even payment to perform an action. The verification (the blue ‘check’) should be used to distinguish those scams from real emails from companies.
However, as he comments On twitter a cybersecurity expert, some verified emails are arriving when they do not come from the real company that should. It attaches an example of an email that presumably comes from the UPS courier company and that, in view of the sender’s email address, is not really UPS.
The expert does not provide details about how Google’s authentication system has been violated, probably in favor of it not running like foam and other cybercriminals joining it. The point is that can be extremely troublesome. Anyone can trust an email received with that ‘check’ and, as we can see, it is no longer synonymous with veracity.
It is clear that the system that Gmail uses to authenticate companies and grant them the badge is weak somewhere. Until now, Google had entrusted everything to corporations like Entrust or DigiCertto to verify both the logo and the email domain.
In 9to5Google they report that Google itself already recognizes the problem, although it assigns the cause to third parties, and that they announce that in the coming days they will implement a new requirement for verification. Specifically, they say that they will request that the DKIM (DomainKeys Identified Mail) authentication standard be used.
That is why, at the expense of this change, we recommend take extreme precautions if you receive a verified email. Try to see if the sender’s email address is real (although it may be masked) and above all question the context. If you are asked to download a file or enter a suspicious link, be wary
Via | 9to5Google
In Xataka Android | Everything your Android mobile does for you so you don’t fall for scams or get hacked