Update: Republished on April 28 with new reports into soaring email attacks on mobile phone users and the deployment of AI to industrialize the threat.
As an interesting week for Google comes to an end, with Gmail under attack from hackers and Chrome under attack from legislators, a new warning has been issued for its 3 billion users. This was entirely predictable — and you need to take it seriously.
As I’ve said before, the flurry of excited headlines that followed Google’s announcement that it was bringing end-to-end encryption to Gmail were premature. Putting aside the fact this isn’t really end-to-end encryption, because a user’s organization controls the security and not their own client or “end,” there are other serious concerns.
End-to-end encryption doesn’t work in email. By its nature, it’s an open architecture. That’s why it’s one of the few data types excluded from Apple’s end-to-end encrypted enclave under its Advanced Data Protection. Platforms such as Proton provide a walled garden to address this and password protect emails sent outside.
ForbesDo Not Use A Smartphone On This Dangerous ListBy Zak Doffman
Google can end-to-end encrypt emails within an organization or when it’s Gmail to Gmail as it controls both ends, albeit that’s still not strictly end-to-end encryption per the point above. But when the recipient “is not a Gmail user, Gmail sends them an invitation to view the E2EE email in a restricted version of Gmail. The recipient can then use a guest Google Workspace account to securely view and reply to the email.”
MORE FOR YOU
NYT ‘Strands’ Today: Hints, Spangram And Answers For Tuesday, April 29th
Microsoft Confirms $1.50 Windows Security Update Hotpatch Fee Starts July 1
‘It’s Imminent’—U.S. Dollar Fed Warning Braces Bitcoin For A BlackRock ‘Megaforce’ Price Shock
Wired correctly warns that “the fear is that scammers will take advantage of this new and more secure communication mechanism by creating fake copies of these invitations that contain malicious links, and prompt targets to enter their login credentials for their email, single sign-on services, or other accounts.”
The risks of such attacks are far worse when users are accessing email platforms from their phones rather than their computers. Phishing attacks can now craft their lures and linked pages to be even harder to detect on a phone, given many of the usual tells are hidden for screen efficiency. And all of us now use email on our phones.
In its latest Mobile Threat Report, Zimperium highlights “the move from phishing to mishing (mobile targeted phishing) [as] attackers adopt a mobile-first attack strategy – attacking via the largely unsecured mobile device instead of the largely secured PC device running Windows or MacOS.” And the U.S. is especially hard hit. It was “the #1 phished region worldwide” last year, accounting for “44% of mobile phishing targets.”
Zimperium reports that “although mishing can target both consumers and businesses, business compromise via phishing was responsible for $2.9 billion dollars in losses in the U.S. in 2023 according to the FBI’s Internet Crime Complaint Center. In a business phishing attack, a threat actor impersonates an employee, vendor or other trusted party in an email or other messaging communication and attempts to trick the employee into sharing credentials, privileged information, or some other asset.”
To join the obvious dots, this is exactly the kind of attack that will use end-to-end encrypted Gmail as a lure, soliciting a click on a maliciously crafted link, pretending to be from an organization known to the attacker, and likely targeting them on their phone. It’s the same kind of attack we currently see using DocuSign as a lure.
Zimperium says its researchers “analyzed a targeted campaign that leveraged a DocuSign impersonation scheme attempting to harvest corporate credentials from company executives. The analysis of this campaign revealed an interesting attack chain that incorporated advanced evasion techniques, mobile-specific targeted phishing links inside PDF files, and a sophisticated infrastructure designed to circumvent traditional security controls while maintaining a convincing corporate appearance.”
These attacks are especially dangerous to enterprises, targeting employee workflows and readily available lures that are linked to the employee’s role. “The financial incentives are substantial, ranging from direct theft of funds or payment information to leveraging business platforms for larger-scale fraud.”
ForbesGoogle’s Update Decision—Bad News For 50% Of Android UsersBy Zak Doffman
The other issue is that end-to-end encrypting emails breaks other Gmail features. Its new AI-powered relevancy search, for example, can’t operate on encrypted emails, so they will be missing from any results. As Google confirmed to me, its cloud AI processing rightly can’t see fully encrypted user content.
All these problems stem from the same cause. Email needs a rethink. It’s an archaic platform reliant on a past-due architecture. It’s similar to SMS, an open standard that worked for decades but then ran out of steam. Users now demand less spam and scams, better authentication as to who’s contacting them, and secured content in messaging.
Google says it will add a warning with its new encrypted emails, telling users “be careful when signing in to view this encrypted message. This message is from an external sender and is encrypted. Make sure you trust the sender and their identity provider before entering your username and password.”
But as MalwareBytes suggested to Wired, “it’s almost as if someone at Google knew this was a bad idea and asked for a warning to be added. It's quite likely fraudsters will jump on the opportunity to craft phishing emails using this exact same template, even including the original warning that will be overlooked.”
And the acceleration of AI-fueled phishing attacks makes this more dangerous and likely to scale more quickly as well. This is the same reason you’re seeing warnings that email attacks can even seem to come from Google itself. And similarly, a new warning has hit Zoom users with a device take-over attack that seems to come from Zoom.
Polymorphic phishing, a form of AI mass customization to tweak individual emails at scale to evade detection is accelerating fast. “Polymorphic phishing emails have become highly sophisticated,” Security Week warns, “creating more personalized and evasive messages that result in higher attack success rates. Of all phishing emails we analyzed, 82% contained some form of AI usage, a 53% year-over-year increase.”
Remember, the exploitation of Gmail’s new encryption per the various warning now being issued relies on phishing emails being sent out, dressed up as Google’s encrypted email notifications with a link. All of which is now ridiculously simply with AI.
ForbesMicrosoft Confirms Upgrade Choice—240 Million Windows Users Must Now DecideBy Zak Doffman
As the team warns, “AI scans publicly available data on the victim’s role, interests, and communication style to send a personalized and convincing message.” All of which means the lure around the encrypted email link can be fully personalized. If you’re in a new job or a new home, the secure document might pretend to link to that.
The enterprise email market is flying, “with more businesses and individuals relying on email as a primary means of communication, the demand for advanced email solutions has skyrocketed,” per a new industry report. But that growth is driven by the easy of deployment of cloud platforms — including Gmail — and its openness.
Encrypting email content within an organization does make sense, as does the occasional restricted email sent between email platforms. But the idea that fully encrypted email becomes mainstream will not work with today’s platforms. And so, if you want fully encrypted comms, just use a different app.
