CSO | August 14th, 2014
Google has made an important change to its Gmail spam filter that is expected to make targeted phishing attacks more difficult while allowing for a more global webmail service.
The Internet company recently took a step toward more global email by accepting non-Latin and accented Latin characters approved by the Internet Engineering Task Force.
The change means Gmail users can send email to, and receive email from, people who use the characters in addresses.
Such changes, which have not been made by the majority of webmail providers, are important because less than half the world’s population have native languages that use the Latin alphabet required by many email services.
However, Google’s support for non-Latin characters could also make it much easier for phishers to spoof people’s email addresses by using characters so close to the Latin alphabet that most people wouldn’t catch the difference.
“It is impossible even for the trained eye to tell the difference between the two addresses,” Bogdan Botezatu, senior e-threat analyst for Bitdefender, said.
As a result, a cybercriminal or hacker working for a nation state could easily use email addresses that recipients would believe are from trusted sources.
On Tuesday, a week after Google made its first announcement, the company said it would try to stay one step ahead of spammers and phishers by rejecting email with addresses that use suspicious character combinations.
Google is basing its determination of deceptive addresses on specifications set by the Unicode Consortium, which establishes computing industry standards for the consistent representation and handling of text expressed in most of the world’s writing systems.
“The important thing in the announcement is that Gmail will protect users against an attack that is not even seen in the wild yet – the Unicode homograph attack against the e-mail username itself,” Botezatu said.
Other webmail providers are likely to watch how well Google does in globalizing Gmail before taking similar steps, Cameron Camp, security researcher at ESET, said.
“I believe other providers will wait and see how successful this effort is and, if it is a success, may look into more language localization themselves,” Camp said.
Google’s anti-spam effort is not expected to have any impact on the overall volume of spam flowing on the Internet.
“As long as the cost of sending spam mail remains nearly nil, spammers will continue to send this junk,” Jean Taggart, senior security researcher at Malwarebytes, said. “It’s a numbers game that works in their favor through the sheer volume of emails that they can send.”
The next big step in reducing spam would be the introduction of technology that scans messages before they are sent, rejecting those from spammers.
However, such technology would need to have a “zero-false-positive rate,” Botezatu said
“Otherwise, it (an Internet service provider) might deny the sending of a critical legit message that is mislabeled as spam,” he said.