Update: Republished on April 28 with new report into AI fueled email attacks.
As an interesting week for Google comes to an end, with Gmail under attack from hackers and Chrome under attack from legislators, a new warning has been issued for its 3 billion users. This was entirely predictable — and you need to take it seriously.
As I’ve said before, the flurry of excited headlines that followed Google’s announcement that it was bringing end-to-end encryption to Gmail were premature. Putting aside the fact this isn’t really end-to-end encryption, because a user’s organization controls the security and not their own client or “end,” there are other serious concerns.
End-to-end encryption doesn’t work in email. By its nature, it’s an open architecture. That’s why it’s one of the few data types excluded from Apple’s end-to-end encrypted enclave under its Advanced Data Protection. Platforms such as Proton provide a walled garden to address this and password protect emails sent outside.
Google can end-to-end encrypt emails within an organization or when it’s Gmail to Gmail as it controls both ends, albeit that’s still not strictly end-to-end encryption per the point above. But when the recipient “is not a Gmail user, Gmail sends them an invitation to view the E2EE email in a restricted version of Gmail. The recipient can then use a guest Google Workspace account to securely view and reply to the email.”
Wired correctly warns that “the fear is that scammers will take advantage of this new and more secure communication mechanism by creating fake copies of these invitations that contain malicious links, and prompt targets to enter their login credentials for their email, single sign-on services, or other accounts.”
The other issue is that end-to-end encrypting emails breaks other Gmail features. Its new AI-powered relevancy search, for example, can’t operate on encrypted emails, so they will be missing from any results. As Google confirmed to me, its cloud AI processing rightly can’t see fully encrypted user content.
All these problems stem from the same cause. Email needs a rethink. It’s an archaic platform reliant on a past-due architecture. It’s similar to SMS, an open standard that worked for decades but then ran out of steam. Users now demand less spam and scams, better authentication as to who’s contacting them, and secured content in messaging.
Google says it will add a warning with its new encrypted emails, telling users “be careful when signing in to view this encrypted message. This message is from an external sender and is encrypted. Make sure you trust the sender and their identity provider before entering your username and password.”
But as MalwareBytes suggested to Wired, “it’s almost as if someone at Google knew this was a bad idea and asked for a warning to be added. It’s quite likely fraudsters will jump on the opportunity to craft phishing emails using this exact same template, even including the original warning that will be overlooked.”
And the acceleration of AI-fueled phishing attacks makes this more dangerous and likely to scale more quickly as well. This is the same reason you’re seeing warnings that email attacks can even seem to come from Google itself. And similarly, a new warning has hit Zoom users with a device take-over attack that seems to come from Zoom.
Polymorphic phishing, a form of AI mass customization to tweak individual emails at scale to evade detection is accelerating fast. “Polymorphic phishing emails have become highly sophisticated,” Security Week warns, “creating more personalized and evasive messages that result in higher attack success rates. Of all phishing emails we analyzed, 82% contained some form of AI usage, a 53% year-over-year increase.”
Remember, the exploitation of Gmail’s new encryption per the various warning now being issued relies on phishing emails being sent out, dressed up as Google’s encrypted email notifications with a link. All of which is now ridiculously simply with AI.
As the team warns, “AI scans publicly available data on the victim’s role, interests, and communication style to send a personalized and convincing message.” All of which means the lure around the encrypted email link can be fully personalized. If you’re in a new job or a new home, the secure document might pretend to link to that.
The enterprise email market is flying, “with more businesses and individuals relying on email as a primary means of communication, the demand for advanced email solutions has skyrocketed,” per a new industry report. But that growth is driven by the easy of deployment of cloud platforms — including Gmail — and its openness.
Encrypting email content within an organization does make sense, as does the occasional restricted email sent between email platforms. But the idea that fully encrypted email becomes mainstream will not work with today’s platforms. And so, if you want fully encrypted comms, just use a different app.
Read the full article here
