Someone's exploiting Google's account recovery system to send spam
I've written before that spammers will eventually exploit any way of sending some user-supplied text to arbitrary email addresses. Today I got a beautiful example of this, where someone appears to be exploiting Google's process of managing account recovery options to send spam. Yes, really.
(I can't be entirely sure of what's going on because the entire message is in Chinese and I'm feeding it through Google Translate in order to understand it.)
The email was send to a pseudo-address that's never actually
existed, so I can be confident there's nothing
legitimate about the whole episode. However, it's a real Google
message, about how '[the] recovery email address for your account
was changed' (based on the translation). The account in question
email@example.com, which seems very clearly to be
just made up by the spammer for this purpose. Almost all of the
text of the message is the boiler-plate Google notifications you
get here (albeit in Chinese), but the spammer has managed to somehow
get in one line of their own text (perhaps by setting it as the
'name' of this GMail account).
I assume how this works is roughly that the spammer creates a bunch of random Google accounts, sets the 'name' or whatever appropriately, and then changes the recovery email address(es) to their targets. As you'd sort of want, Google automatically sends out a security notification, thereby transmitting the spammer's message for them. Apart from all of the work that's required to set this up, this seems rather neat and creative.
(I'm merely guessing that the spammer is exploiting the account name to get their text in; it could be something else. I don't have any experience with the English version of this Google message to give me clues.)
It also makes a good illustration of the lengths that spammers are prepared to go to and how hard it is to stop them, especially without impacting ordinary users. Stopping all user supplied text from leaking to email addresses under all circumstances is a very tall job; as with other security things, it's easy to add an innocent looking feature that opens up a hole or makes a previously harmless situation suddenly dangerous. And like other security issues, some of the obvious countermeasures are user-hostile. If Google doesn't include the user-supplied name in its security notification email, it forces people to try to remember what 'firstname.lastname@example.org' is, as opposed to giving them a hint.