Cyber-criminal groups are exploiting a Gmail feature to file for fraudulent unemployment benefits, file fake tax returns, and bypass trial periods for online services.
The trick is an old one and has been used in the past. It refers to Gmail's "dot accounts," a feature of Gmail addresses that ignores dot characters inside Gmail usernames, regardless of their placement.
For example, Google considers email@example.com, firstname.lastname@example.org, and email@example.com as the same Gmail address.
Regular users have been using this feature for years to register free trial accounts at online services using the same email address, but spelled out in different ways.
More recently, a scammer group learned to use dotted Gmail accounts to trick Netflix account owners into adding card details to scammers' accounts -- registered with the user's dotted Gmail address.
The legitimate "update your card details" Netflix email would arrive in the real user's inbox, who'd later update the scammer's account without knowing.
The reason why this trick works is because "dotted" Gmail address alternatives are a pure-Gmail feature, not found with many online email providers. Online websites like Netflix, Amazon,eBay, and government portals, treat each dotted email address as a different account, which provides a breeding ground for all sorts of problems.
In a report published today, the team at email security firm Agari says it saw criminal groups use dotted Gmail addresses in many more places all last year.
In an example included in their report, Agari said it saw one group in particular use 56 "dotted" variations of a Gmail address to:
- Submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit
- Register for 14 trial accounts with a commercial sales leads service to collect targeting data for BEC attacks
- File 13 fraudulent tax returns with an online tax filing service
- Submit 12 change of address requests with the US Postal Service
- Submit 11 fraudulent Social Security benefit applications
- Apply for unemployment benefits under nine identities in a large US state
- Submit applications for FEMA disaster assistance under three identities
"We've seen multiple groups use the technique, but the article is just an example from one of those groups," Crane Hassold, Senior Director of Threat Research at Agari told ZDNet today.
"In essence, this allows cybercriminals to centralize their fraudulent activity within a single Gmail account, rather than having to monitor a bunch of different accounts, increasing the efficiency of their operations," Hassold said.
Gmail address "features" are ripe for abuse
But besides the dot character, Gmail also has two other features that scammers could potentially similarly abuse in the future.
The first is the plus sign. For example, a Gmail address like firstname.lastname@example.org will always redirect emails back to email@example.com.
- 5 ways to enforce company security (TechRepublic)
- Data breaches can sucker-punch you. Prepare to fight back (CNET)
The second is the legacy @googlemail.com domain. All emails addressed to firstname.lastname@example.org will always arrive at email@example.com.
Hassold told ZDNet that none of these two additional techniques have been spotted in the wild, just yet. However, they are just as efficient as the "dotted" Gmail addresses and could provide scammers with even more alternative email addresses they could use for abuse, fraud, or to gain access to unwarranted benefits.
More security coverage:
- Digital sign systems allowed hacker access through default passwords
- Details published about vulnerabilities in popular building access system
- This smart light bulb could leak your Wi-Fi password
- Japanese government plans to hack into citizens' IoT devices
- EU orders recall of children's smartwatch over severe privacy concerns
- Siri Shortcuts can be abused for extortion demands, malware propagation
- California governor signs country's first IoT security law CNET
- 5 steps to a new IoT support strategy TechRepublic