Crooks use “pointed “Gmail addresses to file fraudulent unemployment benefits file fake tax returns and circumvent online services trial periods.
Cyber-criminal groups use a Gmail feature to file fraudulent unemployment benefits, file fake tax returns and bypass online services trial periods. It refers to Gmail’s “dot accounts, “a feature of Gmail addresses that, regardless of their placement, ignore dot characters in Gmail usernames.
For example, Google considers that the same Gmail address is John.firstname.lastname@example.org, John.email@example.com and Johndoe@gmail.com. For years, regular users use this feature to register free trial accounts in online services using the same email address, but in different ways.
A scammer group recently learned to use dotted Gmail accounts to trick Netflix account owners into adding card details to the accounts of scammers-registered with the dotted Gmail address of the user.
Netflix email would arrive in the real user’s inbox, who would later update the scammer’s account without knowing. The reason this trick works is that “pointed “Gmail address alternatives are a pure Gmail feature that many online email providers do not find.
Online websites such as Netflix, Amazon, eBay and government portals treat each dotted email address as a different account for all kinds of problems.
The team at the email security firm Agari says in a report published today that criminal groups have been using dotted Gmail addresses in many more places all last year. In an example included in their report, Agari said that one group used 56 “pointed “variations of a Gmail address in particular:
- Submit 48 applications for credit cards to four US financial institutions, resulting in fraudulent credit approval of at least $ 65,000
- Registered 14 trial accounts with a commercial sales service to collect BEC attack targeting data
- File with an online tax filing service 13 fraudulent tax returns
- Send 12 requests for changes to addresses to the US Postal Service
- Submit 11 fraudulent applications for benefits from social security
- Apply for unemployment benefits in a large US state under nine identities
- Submit applications under three identities for FEMA disaster assistance
In essence, this allows cybercriminals to centralize their fraudulent activity in a single Gmail account instead of monitoring a bunch of different accounts, increasing the efficiency of their operations, “said Hassold.
But in addition to the dot character, Gmail also has two other features that may be abused in the future by scammers. The first sign is the plus. For instance, a Gmail address such as username + firstname.lastname@example.org will always return emails to email@example.com.
The second is the domain legacy @googlemail.com. All emails sent to firstname.lastname@example.org will always be sent to email@example.com.
None of these two other techniques have yet been found in the wild. They are just as efficient as “pointed “Gmail addresses, however, and could provide even more alternative email addresses for abuse, fraud or access to unjustified benefits for scammers.