Users of Google’s Gmail have been receiving spam that appears to have been sent from their own accounts, according to reports.
Google said it was aware of a spam campaign impacting a “small subset of Gmail users” and was taking measures to protect against it.
The attackers used forged email headers to make it appear that users were sending emails to themselves, which led to those emails erroneously appearing in their sent folders, Google said.
The company has identified the offending emails and is reclassifying them as spam, and it has no reason to believe any accounts were compromised as a result of the operation.
Telus has identified spam emails that were disguised to make it appear it had sent them, spokesperson Francois Gaboury said.
“We are aware of the issue and can confirm the messages are not being generated by Telus, nor are they being sent from our server,” he said.
Telus has been working with third-party vendors to resolve the problem, Gaboury said, adding that customers should not respond to any suspicious emails.
The attack is an example of a business impersonation attack combined with spoofing, said Kevin O’Brien, CEO of GreatHorn.
In these types of attacks, the hackers manipulate email metadata or directly impersonate the sending domain, which allows them to bypass pre-delivery filters, he told the E-Commerce Times.
“While cloud-native email providers are more secure than their on-premises counterparts, these types of attacks highlight how messages send within those providers’ own environment,” O’Brien said. “That is, emails that are sent from one cloud email box to another never leave the infrastructure that Google or Microsoft provides [and] can pose threats that traditional security models cannot help stop.”
Google last year announced new machine learning technology designed to help combat spam, phishing and other types of cybercrime.
However, GreatHorn has tracked a large number of attacks that were able to get around the machine learning technology, O’Brien said.
GreatHorn recently stopped an attack that used the attack vector “[email protected]” across multiple clients that run on the Gmail platform, he said. Google eventually caught it, but only after GreatHorn detected dozens of emails.
“In that example, organizations running G Suite without SPF (Sender Policy Framework) set to its most strict level were receiving impersonation attacks, similar to the Telus attack, where the only sign was 2018 attached to the email address,” O’Brien noted.
Google’s machine learning is “eventually secure,” he remarked, but it often lags behind individual consumer protection, leaving organizations vulnerable.
Conduct a Self-Check
Gmail users can check for a potentially spoofed message, said James Lerud, head of the Verodin behavioral research team.
Click the down arrow next to the reply button and select “show original.” Then look at the SPF section. If it does not say “pass,” then the email is spoofed, he told the E-Commerce Times. The SPF system keeps track of which IP addresses are authorized to send email on behalf of a domain.
If users suspect a Gmail account has been compromised, they should monitor account activity by clicking “details” at the bottom of the Gmail page under “Last Account Activity,” said Lerud. Users should periodically review third-party access to check which apps have access to their account.