Slashdot Mirror
Scammer Groups Are Exploiting Gmail 'Dot Accounts' For Online Fraud (zdnet.com)
Cyber-criminal groups are exploiting a Gmail feature to file for fraudulent unemployment benefits, file fake tax returns, and bypass trial periods for online services. From a report: The trick is an old one and has been used in the past. It refers to Gmail's "dot accounts," a feature of Gmail addresses that ignores dot characters inside Gmail usernames, regardless of their placement. For example, Google considers john.doe@gmail.com, jo.hn.doe@gmail.com, and johndoe@gmail.com as the same Gmail address. Regular users have been using this feature for years to to register free trial accounts at online services using the same email address, but spelled out in different ways.
In a report published today, the team at email security firm Agari says it saw criminal groups use dotted Gmail addresses in many more places all last year. In an example included in their report, Agari said it saw one group in particular use 56 "dotted" variations of a Gmail address to, among other things, submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit.
In a report published today, the team at email security firm Agari says it saw criminal groups use dotted Gmail addresses in many more places all last year. In an example included in their report, Agari said it saw one group in particular use 56 "dotted" variations of a Gmail address to, among other things, submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit.
Wait until they figure out the plus trick!
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
so that commercial companies like Google can ignore them, to achieve "a competitive advantage."
Is there a story here, and if so what is it? That all you need to apply for a credit card is an email address?
This has nothing to do with gmail. Scammers can create any number of free e-mail accounts at many different webmail sites, or in fact setup their own e-mail server. The fact they they are using variations of the same e-mail account doesn't really matter. That's like saying a robber used 2 dimes and a nickle to park in order to go in a rob a store as opposed to using a single quarter, or not paying to park at all. DAMN those nickle and dimes!!!!
Why the heck are these companies assuming that just because the email is different it is a different person?
Anyone could just own a domain and setup an unlimited number of aliases to a single address without exploiting any stupid weirdness google created.
How is this any different from simply making email addresses with an incrementing number after it?
All this tells me is that apparently all you need to get a credit card is an email address.
Seems bizarre to blame google for that.
make it stop
"Customer": Hi, I am "Customer" and here are some facts about "Customer".
Credit card provider: Yes, those facts seem true. You must be "Customer". I have never met you but here is a $5000 line of credit.
Gave you a better click-bait title. :)
p.s. We (the entire world) need to bring back to the death penalty for fraudsters and scammers. Or at least cut off their fingers and external genitalia, and then brand their foreheads with their crime.
So what? It's a slightly easier way of getting additional email addresses.
If your business model depends on my not having more than one email, well ... not sure why that's my problem.
I had no idea it was so easy to be a "cyber criminal".
The article has the wrong link. The correct link to the original is https://jameshfisher.com/2018/...
Why does Slashdot do this all the time? Include links to dumb shallow copies of the original story that add nothing but instead take away necessary technical content? The article linked to in this case failed to actually explain how the scam works!
public class DuplicateEmailValidator extends ValidatorSupport {
private UserService userService = new UserService();
public void validate(Object object) throws ValidationException {
String emailAddress = (String) getFieldValue("email", object);
if (emailAddress != null && emailAddress.endsWith("gmail.com")) {
String addy = emailAddress.substring(0, emailAddress.lastIndexOf("@"));
String nameStripped = addy.replaceAll("[\\.\\+]", "");
Boolean exists = userService.isGmailRegistered(nameStripped);
if (exists) {
addFieldError("email", object);
return;
}
}
}
}
PS - How silly is it that slashdot/slashcode has stopped being updated for about 16 years now? Imagine a group of people sitting around and wondering why the engagement continues to decline oblivious or otherwise unworried that their website has failed to keep current or adopt basic convenience features. Case in point, pasting a code snippet and dealing with the lameness filters.
I don't see any problem here. If you can apply for credit using only a email address then it's the company own fault. You don't give credit out to just an email address. And for registering free trial accounts, what's the problem here? You give out trials, so what if somebody gets many trials? Who cares?
They know they may not be able to complete a thorough verification before the impulse to borrow passes. So they rush to lend. They know they make mistakes and lend to fraudsters. But to them it is cost of doing business, net profit from impulse lending is so great they do this knowingly.
Then, the fraudulently lent loans get written off, sold for pennies for a dollar to the debt collectors. These people come after you, get default judgements, demanding that you prove you did not borrow the money. Even if you do to one debt collector, he sells the loan to the next debt collector and it goes on.
Small things might help here:
Make a law, "Lenders can not sell defaulted loans without fully proving the identity of the borrower.".
Get a couple of precedent judgement, "if the bank sold a loan based on stolen identity, they are liable for slander and all damage caused to the person whose identity was compromised".
Once you make the banks eat all the losses, and prevent damage to people whose identity is compromised, they will do the basic necessary things to verify identity.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
If you find the real article that started this, you will see that the true problem is institutions not requiring authentication. Clicking a link via email proves the email exists, but doesn't prove who has access to either the email, or the institutions' accounts.
This problem exists outside of catch-all email addresses. Some people have multiple email addresses already, which can be phished. Then snail mail. Then social media.
This report is no different than saying, "Scammer Groups are Using Multiple Email Accounts for Online Fraud!". The gmail dot feature makes it a tiny bit easier for them, but it's no different than using multiple fake email accounts. This is non-news.
Who on earth thought it was a good idea to use an email address as a unique identifier for government programs? That's what Social Security Numbers are for.
Support Right To Repair Legislation.
I always log in to a firstname.lastname@gmail.com but if I try to test send an email to firstnamelastname@gmail.com then I do not receive the email. So my point is in basic testing this dotted theory does not work. Also if I try to log in to the non dotted email it does not let me sign in. I assume it's this way for everyone?
"Regular users have been using this feature for years to to register free trial accounts at online services using the same email address, but spelled out in different ways."
vs
"one group in particular use [sic] 56 'dotted' variations of a Gmail address to...submit 48 credit card applications...resulting in the approval of at least $65,000 in fraudulent credit."
I'm not sure I see the difference. Most free trial accounts are limited to one/person...
I live in Belgium. If you ask for a credit, your ID will be verified. Alse a credit check at the the national bank. If there are too mÃn lians, no credit. If there is a negative score, i.e. not paid for one for three months, (removed after one year) no credit. If you have a fake ID, no credit.
If you get a credit, it will be added to the national bank.
Only banks and the like have access to data at the Natonal Bank (NBB) and can e.g not see the names of other companies.
So having 20 emailadresses or one does not make a difference. Yes, fraud is always possible.
Don't fight for your country, if your country does not fight for you.
> Google considers john.doe@gmail.com, jo.hn.doe@gmail.com, and johndoe@gmail.com as the same Gmail address.
Not always. My friend has john.doe, someone else has johndoe. Apparently he registered john.doe before they were doing "dot doesn't matter".
Years before Google itself even existed, there was this site called iwin, which did the standard prizes-for-points thing. But you got points for new member referrals. A free webhost redirected anything@subdomain.host.com to your primary e-mail. Being an unethical young teen wanting to impress people in my AOL chat with my mad VB skillz, naturally I wrote a program to refer acct00000@, acct00001@, etc, then automatically open the e-mail, click the link, and submit the signup form.
Since no further verification was done, it was like you signed up thousands of people a day. Many people received many nice electronics before the hole got closed.
1 e-mail = 1 person has been foolhardy since the dialup days.
Some of us from the beta remember that it didn't use to be ignored. It was a change that allowed that, and caused other problems as well.
I'm one of those that gets every message intended for "John Doe" that's miss directed (John Doe 18 that doesn't exist, yep I get his email). I'm a "root" for my name so I get all the junk attached to that name. I really wish Google would fix THAT problem.
this has been a problem for a decade. StopForumSpam has had support for this since it was first discovered, normalizing for detection. Google should be kicked for this