Gmail’s new Confidential Mode Feature is Entirely a New Route to Phishing Attacks: DHS
The tool could make it easier for cybercriminals to pretend to be someone else
Google’s email service, Gmail unveiled its new features on the web this April 2018. While many of its features sound promising, what ‘Confidential Mode’ provides its users is still controversial.
Department of Homeland Security (DHS) issued an alert on Saturday, stating the potential emerging threat with Gmail’s new ‘Confidential Mode’.
They also informed Google about its vulnerabilities that could create phishing risks and reveal sensitive personal information of the users.
What is Gmail’s new ‘Confidential Mode’?
The new ‘Confidential Mode’ is said to provide users with certain assurance of privacy and security in which they can add an expiration date to emails for one day, five years or any of several duration in between, and also optionally choose to require an SMS passcode, as an added layer of security before the email can be viewed.
If the sender opts for the SMS passcode, he/she will be prompted for the recipient’s phone number. The later will receive a passcode which remains valid for five minutes. The recipient cannot forward, download, copy, paste or print the message.
Once the date arrives the email self-destructs and is no longer view-able by the recipient. Email’s sent using confidential mode can be revoked at any time, by the sender, regardless of what the expiration date was.
Unfortunately, each of these “security” features come with serious security problems for users!
Is ‘Confidential Mode’ really confidential? Why is it at the center of security fears
The official Google mail website, if accessed by a Gmail user then the ‘Confidential Message’ appears when the user clicks to open it. The mail showcases the expiration date of the content and informs the recipient that the message cannot be downloaded or forwarded.
However, the users operating Gmail via third party services (like Apple Mail, Outlook, etc) is more at risk by the vulnerability. The user of ‘Confidential Email’ in this case has to click a link in order to access the content, which is seen as a great threat to 1.4 billion Gmail users by DHS and US Officials.
According to DHS, the links can be used by hackers to lure users into revealing sensitive personal information via ‘trustworthy’ emails increasing the risk of phishing.
What DHS said?
According to the Department of Homeland Security (DHS), Google’s email service, Gmail’s new 'Confidential Mode' feature is an entirely new route for phishing attacks.
The tool could make it easier for cybercriminals to pretend to be someone else, in order to gain access to users' personal information. They can send-out mass scam messages containing fraudulent versions of these confidential links.
The department issued a warning on potential emerging threat with the Gmail redesign. DHS official, further, reached out to Google to inform about the vulnerabilities and offered them to partner with the search firm to help improve the feature.
Phishing attacks steal sensitive information, including passwords, contact details, credit card and payment information, by tricking users into handing over their information. This can lead to identity theft.
Ankush Johar, director at Infosec Ventures, said: "The sole motive of a phishing email is to have a user redirected to a malicious resource. Right now, in the majority of the cases, the generic email reading habit is simply opening it and reading it and hence, in case a malicious email comes in and asks the user to click a link, the user has to step out of his/her habit to click. With this feature introduced by Google, Gmail users on 3rd party clients will get habituated to click links inside emails and hackers will surely exploit this to send spoofed "confidential looking" emails which will be instantly opened, increasing the click-rate of phishing campaigns for hackers.
"This will make it even more difficult to train individuals to identify phishing emails and links as presently, they are simply taught to avoid clicking links from unknown senders but now, those links might actually be legitimate, making it confusing for users. Humans are the weakest link in cybersecurity and hackers will always try to exploit that.
"Until Google revamps this architecture, organisations are suggested not to make the 'Confidential Mode' a part of the daily routine for their employees. Else, employees must be trained to understand the various attack scenarios an attacker can use such emails or else it will be extremely easy for an attacker to convince an untrained eye
"As an individual, all one can do is to be vigilant in general and be suspicious by nature. You are responsible for your security, hence you must THINK BEFORE YOU CLICK!"