Gmail follows a strict rule that doesn’t allow it’s users to have their first or the last name contain the term Gmail or Google. That is, while signing up for a new Gmail account the users cannot choose a first or last name that contains the term Gmail or Google. You can see this from the below snapshot.

This rule is implemented by Gmail for obvious reasons, because if the users are allowed to keep their first or the last name that contains the term Gmail or Google, then it is possible to easily impersonate the identity of Gmail (or Gmail Team) and engage themselves in phising or social engineering attacks on the innocent users. This can be done by simply choosing the first and last name with the following combinations.

First Name        Last Name

Gmail                       Team

Google                     Team

Gmail                       Password Assistance 

From the above snapshot we can see that, Gmail has made a good move in stopping the users from abusing it’s services. However this move isn’t just enough to prevent the malicious users from impersonating the Gmail’s identity. Because Gmail has a small vulnerability that can be exploited so that the users can still have their name contain the terms Gmail or Google. You may wonder how to do this. But it’s very simple.

1. Login to your Gmail account and click on Settings.

2. Select Accounts tab

3. Click on edit info

4. In the Name field, select the second radio button and enter the name of your choice. Click on Save Changes and you’re done!

Now, Gmail accepts any name even if it contains the term Google or Gmail. You can see from the below snapshot

Allowing the users to have their names contain the terms Gmail or Google is a serious vulnerability even though it doesn’t seem to be a major one. This is because a hacker or a malicious attacker can easily exploit this flaw and send phishing emails to other Gmail users asking for sensitive information such as their passwords. Most of the users don’t even hesitate to send their passwords since they believe that they are sending it to Gmail Team (or someone authorized). But in reality they are sending it to an attacker who uses these information to seek personal benefits.

So the bottomline is, if you get any emails that appears to have come from the Gmail Team or similar, don’t trust them! Anyone can send such emails to fool you and take away your personal details. Hope that Gmail will fix this vulnerability as soon as possible to avoid any disasters.

The do-it-yourself kits provide all the essential tools for launching phishing attacks – those that use spoofed emails and fraudulent websites to trick people into giving out personal financial data.

Phishing scams are on the up. Security company MessageLabs has intercepted an average of 250,000 phishing emails a month so far in 2004, compared to just 14 phishing-related emails back in August 2003.

According to anti-virus company Sophos, the DIY kits contain all the graphics, web code and text required to construct fake websites that look like legitimate online banking or shopping sites. They also include spamming software which would let you send out millions of phishing emails as bait for potential victims.

“Until now, phishing attacks have been largely the work of organised criminal gangs, however, the emergence of these ‘build your own phish’ kits mean that any old Tom, Dick or Harry can now mimic bona fide banking websites and convince customers to disclose sensitive information such as passwords, PIN numbers and account details,” said a spokesman for Sophos.

“There is plenty of profit to be made from phishing. By putting the necessary tools in the hands of amateurs, it’s likely that the number of attacks will continue to rise.”

Surfers that receive a suspicious email that claims to come from an online bank or e-commerce site should delete them and not click on any included links.