| ▲ | ycombinatrix 5 days ago |
| It isn't Google's fault that an attacker was able to spoof mail from "legal@google.com"? |
|
| ▲ | Avamander 5 days ago | parent | next [-] |
| Proof of that remains to be seen. That being said, there are a few approaches that might leave such an impression to people unfamiliar with their email client. |
|
| ▲ | arx_ 4 days ago | parent | prev | next [-] |
| The attacker doesn’t need to spoof anything, this is known as a homograph attack: https://en.m.wikipedia.org/wiki/IDN_homograph_attack https://www.xudongz.com/blog/2017/idn-phishing/ |
| |
| ▲ | otterley 4 days ago | parent | next [-] | | We don’t know yet that that’s what actually happened in this case. | | |
| ▲ | arx_ 4 days ago | parent [-] | | It seems likelier than a @google.com spoof landing in the person’s inbox. Without them providing the headers this is just idle guessing, but I’d argue my guess is likelier to be the truth. |
| |
| ▲ | eviks 4 days ago | parent | prev | next [-] | | If it's a known attack, Google has a known defence in its apps? | | |
| ▲ | arx_ 4 days ago | parent [-] | | Something being known doesn’t mean a solution exist. Computing the the set of Unicode characters that would result in a homograph of a latin alphabet word is non trivial. Now do this for relevant/trusted domains, now put in place a mechanism to mark a domain as trustworthy that also minimises your liability. | | |
| ▲ | eviks 4 days ago | parent [-] | | > Something being known doesn’t mean a solution exist. But we aren't talking theory. In this case solutions exist, just not in this app? Also, the triviality point is puzzling, are we only allowed to criticize professionals for trivial fails? (though using a different font is one of the trivial mitigations) > that also minimises your liability. How is that a factor, what is their liability now without any mechanism and will it increase if they add some? |
|
| |
| ▲ | palmfacehn 4 days ago | parent | prev [-] | | Seems like a good use for the .google tld |
|
|
| ▲ | blindriver 5 days ago | parent | prev [-] |
| Spoofing email addresses has been around since the 90s. |
| |
| ▲ | acdha 4 days ago | parent [-] | | Yes, and the industry has been responding to it since approximately 5 minutes after Canter & Siegel started cranking out that green card spam in 1994. We have SPF, DKIM, DMARC, etc. _and_ more importantly, the victim in this case was using Google's mail client to access Google's mail service so they don't even need complex protocols designed to inform 3rd parties about whether a message is legitimate. If Gmail refused to accept any messages claiming to be from google.com which didn't originate from their servers, it'd be quite defensible given the ratio of attacks to the handful of legitimate cases where someone needs to do something like post to an outside mailing list using their @google.com email address. |
|
