Latest news with #SenderPolicyFramework
Techday NZ
22-05-2025
- Business
- Techday NZ
Fintech sector faces mounting third-party security breach risks
SecurityScorecard has published new research indicating that almost 42% of data breaches impacting top fintech companies can be traced back to third-party vendors, with a further 12% linked to fourth-party exposures. The findings, drawn from an analysis of 250 leading fintech firms worldwide, highlight the systemic risks facing the financial sector's supply chain despite robust internal cybersecurity practices. The report, titled Defending the Financial Supply Chain: Strengths and Vulnerabilities in Top Fintech Companies, exposes a growing separation between strong internal controls and vulnerabilities introduced through external partners. Fintech companies emerged as the industry with the strongest overall security posture, registering a median score of 90 in SecurityScorecard's assessment. More than half (55.6%) achieved an "A" rating. However, these scores did not fully shield the industry from cyber intrusions. According to the report, 18.4% of analysed fintech companies experienced breaches that were publicly reported, and over a quarter of these organisations (28.2%) suffered multiple incidents. Technology products and services featured in 63.9% of third-party breaches, with file transfer software and cloud platforms identified as the primary points of compromise. Application security and DNS health deficiencies were noted as the most prevalent weaknesses within the sector. Nearly half of the firms (46.4%) scored the lowest in application security assessments. These weaknesses included unsafe redirect chains, misconfigured storage, and missing Sender Policy Framework (SPF) records. Ryan Sherstobitoff, Senior Vice President of SecurityScorecard's STRIKE Threat Research and Intelligence Unit, commented on the findings: "Fintech companies anchor global finance, but one exposed vendor can take down critical infrastructure. Third-party breaches aren't edge cases - they reveal structural risk. In fintech, that means operational outages across payment systems, digital asset platforms, and core financial infrastructure." The report highlights that the threat emanating from an organisation's indirect partners - referred to as fourth-party suppliers - now exceeds double the global average, making up 11.9% of incidents in the fintech sector. These risks underscore the complexity and depth of digital supply chains in financial technology. In response to its analysis, the SecurityScorecard STRIKE team issued a series of recommendations for fintech companies to bolster their cybersecurity defences across the supply chain ecosystem. Among the recommendations is the need to strengthen oversight of both third- and fourth-party risks. The team advises that, "Fintech companies should tier vendors based on exposure and breach history, not just spend or business value. Disclosing downstream dependencies and requiring incident notification clauses in contracts can reduce cascading risk from fourth-party breaches." Securing shared infrastructure and the technical tools that enable financial operations is also critical. The team states, "File transfer software, cloud storage platforms and customer communication tools were the most common vectors for third-party breaches. Fintechs must audit these integrations regularly and require partners to demonstrate secure implementation practices." Another key area is the remediation of deficiencies in application security and Domain Name System (DNS) settings. According to the report, "Nearly half of fintechs scored lowest in application security. Unsafe redirect chains, misconfigured storage and missing SPF records were common. Remediating these foundational weaknesses should be a priority, starting with customer-facing assets." The report also advises enforcing robust credential protection measures. It recommends, "Credential stuffing campaigns and typosquatting attacks impacted a majority of firms. Enforcing MFA, monitoring for reused credentials and taking down spoofed domains are essential to protect users and prevent cross-platform compromise." Finally, the research suggests that companies which have experienced multiple breaches should be considered higher-risk and subject to extra scrutiny. The report notes, "Companies with multiple breaches accounted for the majority of total incidents. Vendors with prior breach history, especially those with known third-party exposures, should face enhanced scrutiny during onboarding and renewals." The study encompassed a range of fintech segments, including firms specialising in payments, digital assets, neobanking, financial planning, and technology infrastructure. The companies involved were selected for their international presence, influence within the industry, and operational scale.
Economic Times
10-05-2025
- Economic Times
Gmail fraud: A new cyber fraud email which bypasses Google's security protocols; Know how it works and safeguard your money
Fraudsters bypassed Gmail's security using a DKIM replay attack, sending authentic-looking security alerts. These emails, seemingly from Google, directed users to phishing sites via ' threatening data submission to the government. Experts advise caution with links, enabling multi-factor authentication, and reporting suspicious emails to enhance protection against such scams. Read below to know more about this fraud. Tired of too many ads? Remove Ads How does this psychological Gmail fraud work? Tired of too many ads? Remove Ads How did this fraud email bypass Google's Gmail protection system? Legitimate Sender and DKIM Signature: The email was genuinely sent from Google's infrastructure (specifically from no-reply@ as shown in the message header screenshot. DKIM is a cryptographic signature that verifies the email's authenticity by ensuring it was sent from the claimed domain and wasn't tampered with during transit. Since this email was sent by Google itself, it passed the DKIM check with flying colors, showing "pass with domain Gmail's spam filters trust emails that pass DKIM, SPF (Sender Policy Framework), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) checks, as these are strong indicators of legitimacy. The email was genuinely sent from Google's infrastructure (specifically from no-reply@ as shown in the message header screenshot. DKIM is a cryptographic signature that verifies the email's authenticity by ensuring it was sent from the claimed domain and wasn't tampered with during transit. Since this email was sent by Google itself, it passed the DKIM check with flying colors, showing "pass with domain Gmail's spam filters trust emails that pass DKIM, SPF (Sender Policy Framework), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) checks, as these are strong indicators of legitimacy. DKIM Replay Attack: The attackers used a clever technique known as a DKIM replay attack. They created a Google Account and an OAuth application with a name that mimics a phishing message. When they granted their OAuth app access to their account, Google automatically sent a "Security Alert" email to the account, which is a legitimate email signed with Google's DKIM key. The attackers then forwarded this email to the victim using a custom SMTP relay (Jellyfish) and Namecheap's PrivateEmail infrastructure. Because the email retained its valid DKIM signature from Google, Gmail saw it as a legitimate message and didn't flag it as spam. The attackers used a clever technique known as a DKIM replay attack. They created a Google Account and an OAuth application with a name that mimics a phishing message. When they granted their OAuth app access to their account, Google automatically sent a "Security Alert" email to the account, which is a legitimate email signed with Google's DKIM key. The attackers then forwarded this email to the victim using a custom SMTP relay (Jellyfish) and Namecheap's PrivateEmail infrastructure. Because the email retained its valid DKIM signature from Google, Gmail saw it as a legitimate message and didn't flag it as spam. Lack of Contextual Analysis: While Gmail's spam filters are advanced, they often rely heavily on authentication signals like DKIM, SPF, and DMARC rather than deep contextual analysis of the email's content or intent. In this case, the email appeared to be a standard Google security alert, which Gmail is programmed to treat as high-priority and trustworthy. The content itself didn't raise red flags because it was a real Google email—just repurposed maliciously. While Gmail's spam filters are advanced, they often rely heavily on authentication signals like DKIM, SPF, and DMARC rather than deep contextual analysis of the email's content or intent. In this case, the email appeared to be a standard Google security alert, which Gmail is programmed to treat as high-priority and trustworthy. The content itself didn't raise red flags because it was a real Google email—just repurposed maliciously. Bypassing Behavioral Filters: Gmail's spam filters also look for suspicious patterns, such as emails from unknown senders or those with malicious links. However, since this email came from Google's own domain and didn't contain overtly malicious content (the phishing link likely appeared in a follow-up step after redirection), it didn't trigger Gmail's behavioral or content-based filters. How should you protect yourself from this type of fraud? Be cautious with all links—even if the sender appears trusted. DKIM only verifies that the message came from the domain—not that it's safe. Hover over links before clicking. Check for odd domains, typos, or links that don't match the sender's domain. Watch for urgency or emotional manipulation. Messages saying 'your account is suspended' or 'urgent action needed' are red flags. Use Gmail's 'Report Phishing' feature. This helps Google improve detection and also alerts others. Enable multi-factor authentication (MFA) on financial and email accounts. Even if credentials are stolen, MFA can stop unauthorized access. It seems that fraud sters managed to bypass security checks and trick Google's servers to send Gmail users authentic looking security alert emails. The worst part is on plain reading of the email it looks legitimate and even the domain name from where the fake email was sent looks close to the real one. This fraud works on the assumption that you will not fact-check the email and in fear of legal action, you will give all access to your money and photos, etc to the below to know the details of this fraud and what measures to take to save your money and Google account image below shows what the fake email says. It says that a legal subpoena has been served by the government to Google LLC and as per this legal subpoena your entire Google account contents like photos, emails, maps data, etc needs to be submitted to the government. Do notice that the fake email does not say anything about the government taking legal action on you, rather the fake email says the government wants Google to give them your contents, data. This is the until this part of the email, if you took the hook then comes the baitthe bait comes. The next paragraph of the email says you need to go to an ' website to either examine what data will be shared with the government or protest i.e. try to stop this. In reality this supposed website is not at all a genuine Google website, it's a phishing fraud website hosted on Google's website domain which anybody can create with basic computer knowledge. So, this fact check is the only thing which stands between you losing complete control over your financial accounts over to the you notice closely, it looks like a real email from Google and notice how the email asks you to go to 'Google Support Case website" to take measures or protest. These big words are said in the email to make it look lead developer of ENS and Ethereum Foundation alum on X (formerly Twitter)Also, if you read this fraud email again, you will notice that there is a lot of unnecessary fake information like Google Account ID, support reference ID, etc and it says that the legal subpoena has been served on Google LLC and not directly on you. So physiologically this creates a safe assurance in your mind that the legal action is not on you but actually on Google, who in turn was ordered to hand over your data and contents to the has acknowledged that this fraud has happened and said it has rolled out protections for this abuse of its systems and also encouraged users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing fraud campaigns, as per a TOI Wig, Co- Founder and CEO, Innefu Labs, says: 'The primary reason Gmail didn't flag the phishing email lies in the exploitation of a loophole in the DomainKeys Identified Mail (DKIM) system through a technique known as a DKIM replay attack. In this scenario, attackers captured a legitimate email originally generated by Google, complete with a valid DKIM signature, and replayed it to new adds: 'Because DKIM only validates that the content of the message and headers haven't been tampered with — not the actual source or intention of the sender — Gmail's filters interpreted the email as legitimate. Moreover, the email was sent from 'no-reply@ passed SPF, DKIM, and DMARC checks, and even appeared in the same thread as genuine Google security alerts, further reinforcing its apparent authenticity. This underscores a critical challenge in email security: authentication mechanisms like DKIM can verify the integrity of a message, but not always its trustworthiness.'Sheetal R Bhardwaj, executive member of Association of Certified Financial Crime Specialists (ACFCS) explains the primary reason Gmail did not flag this phishing email as spam lies in the way the attack exploits Gmail's own infrastructure and authentication mechanisms, specifically DKIM (DomainKeys Identified Mail).Bhardwaj shares how even if Gmail's filters missed it, users can still protect themselves by-
