Exploiting Gmail webmail for phishing

I recently noticed that a certain Gmail webmail “feature” enables you to convince the receiver that the email was sent by someone else than you. This exploit is really easy to fix by Google, but apparently it would also change the way they display senders completely – would, sort of, be like a step back to the era of email addresses as identification. Here’s how it works.

Preparation

By default, a new Gmail account is not on any spamlist, and as such won’t be blocked unless you email viagra or other links to suspicious websites. So we create a new account. Also, Gmail doesn’t care what your name is. So let’s change it to something fun, like Facebook!

As you can see, my email address is in the Polish domain, so it’s definitely not Facebook – however tries to mimic it. But the above change will make the Send email as field look like this:

Next, let’s mimic a Facebook notification email. Since Gmail doesn’t make any difference when displaying plain-text or HTML emails (and some webmails do, for example using Courier for plain-text and Arial for HTML), and because you can change the target of a “plain-text” URL without notice too, you can craft an email that looks exactly like a simple, plain-text message from Facebook, but links to a malicious website.

Attack

Ok, but what’s the big deal here, you ask? Well, this is:

In your Inbox, you simply can’t tell that this email is not from Facebook. It looks exactly the same compared to the original. But wait, it gets better:

How can you tell, looking at the complete email, that it’s not from Facebook? It says Facebook to me after all. And when did you last time click the show details link? And how often do you check the original message (do you even know where to do that in Gmail? Check yourself :)).

So imagine the attacker creates a malicious website imitating the Facebook login page. How often do you re-check the URL in the browser after clicking what looks like a plain-text link in your email? If you don’t double-check that, your credentials will go to the attacker, and you’ll be redirected back to the Facebook page, which you probably are logged in anyway, so you won’t even notice. Bazinga!

How to defend?

There are 3 things Google could do to prevent this. First, display senders name and email address, even when the message details are hidden. Second, at least add a title attribute to links in the email. Third, create a safe-list of emails from various account providers like Facebook, Twitter etc. so whenever somebody names himself as Facebook, an alert will pop-up that this person’s name does not much the email domain.

For now, you should either use a desktop email app, or be careful and expand the message details, as well as check what the links refer to. UPDATE: one of the readers, makeros, correctly suggests that another safeguard would be to assign a label to the original and valid email address, for example. Good point, thanks!

We have a saying in Poland that tells “When a man is in a hurry, the devil is happy” (meaning “Haste makes waste”). I’d say “When a man is in a hurry, the devil is phishing”. It’s not an exploit based on any technical knowledge or holes in Gmail. It’s all about routine and haste, isn’t it?

PS. I bet somebody else described this problem before me, but I couldn’t Google it, so I decided to post it. Be sure to follow me, I’m @f055 :)