The method behind the spam glitch was spotted last year but ignored by Google
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- Gmail users found spam emails in their "Sent" folders that had been relayed from "telus.net."
- Google was notified of the issue last year but did not believe it warranted a fix until users flooded their Help forum with comments about the issue.
Google scrambled on Sunday to help Gmail users remedy a spam problem infecting their inboxes. Users flooded Google's Gmail help forums, writing that they found spam emails in their "Sent" folder to unknown email addresses. Even those equipped with two-factor authentication suffered from the bug, and many users believed their accounts were compromised.
"Yes this has happened to me this morning too - there are 6 x of these spoof emails in my inbox apparently sent from my account and they are showing in my sent items folder. There is one from nore...@travellstore.com and 5 from sen...@justvaluerate.com," one user wrote in Google's Help forum. "I'm a little freaked out by this...."
Most of the emails were about weight loss, supplements, or loans and were sent "via telus.net." Users reported in the forums that even after changing their passwords, the problem was still occurring. Telus is a Canadian telecommunications company.
SEE: Password management policy (Tech Pro Research)
Google initially responded to the furor from Gmail users on Twitter, acknowledging that they were aware of the issue and working on a solution. They later released a statement claiming user accounts had not been compromised by any hackers but did not explain how these spam messages ended up in so many mailboxes.
"We are aware of a spam campaign impacting a small subset of Gmail users and have actively taken measures to protect against it. This attempt involved forged email headers that made it appear as if users were receiving emails from themselves, which also led to those messages erroneously appearing in the Sent folder. We have identified and are reclassifying all offending emails as spam, and have no reason to believe any accounts were compromised as part of this incident," Google said in a statement to Mashable.
Telus also sent a statement to Mashable, claiming they played no part in this spam campaign
"We have identified spam emails being circulated that are disguised to appear as if they are coming from http://telus.com. We are aware of the issue and can confirm the messages are not being generated by TELUS, nor are they being sent from our server," Telus wrote in the statement. "We are working with our 3rd party vendors to resolve the issue, and are advising our customers not to respond to any suspicious emails."
Our sister site ZDNet interviewed security researchers last year who warned Google that there were ways to get around their spam filters. Renato Marinho, a researcher from Brazilian security firm Morphus Labs, found that Google's software cannot tell whether a message is spam if it comes from a fake Gmail address.
As seen in this instance, hackers used what looked like an outside server from Telus to send spam emails from a spoofed email address purporting to be from Gmail servers. ZDNet said Marinho told Google about the problem but was rebuffed. They told him the issue "did not substantially affect the confidentiality or integrity of Google users' data."
- Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)
- Spammer's delight: Gmail weirdly doesn't see spoofed @gmail.com addresses as junk (ZDNet)
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- Apple rolls out 'Report Junk' feature to deal with iCloud spam (ZDNet)
- Why G Suite admins should enable Gmail's advanced anti-phishing and malware settings (TechRepublic)