Slashdot Mirror
Scammer Groups Are Exploiting Gmail 'Dot Accounts' For Online Fraud (zdnet.com)
Cyber-criminal groups are exploiting a Gmail feature to file for fraudulent unemployment benefits, file fake tax returns, and bypass trial periods for online services. From a report: The trick is an old one and has been used in the past. It refers to Gmail's "dot accounts," a feature of Gmail addresses that ignores dot characters inside Gmail usernames, regardless of their placement. For example, Google considers john.doe@gmail.com, jo.hn.doe@gmail.com, and johndoe@gmail.com as the same Gmail address. Regular users have been using this feature for years to to register free trial accounts at online services using the same email address, but spelled out in different ways.
In a report published today, the team at email security firm Agari says it saw criminal groups use dotted Gmail addresses in many more places all last year. In an example included in their report, Agari said it saw one group in particular use 56 "dotted" variations of a Gmail address to, among other things, submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit.
In a report published today, the team at email security firm Agari says it saw criminal groups use dotted Gmail addresses in many more places all last year. In an example included in their report, Agari said it saw one group in particular use 56 "dotted" variations of a Gmail address to, among other things, submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit.
The article has the wrong link. The correct link to the original is https://jameshfisher.com/2018/...
Why does Slashdot do this all the time? Include links to dumb shallow copies of the original story that add nothing but instead take away necessary technical content? The article linked to in this case failed to actually explain how the scam works!
Yes, there is. RFC5322 defines what constitutes an email address, amongst other things. Arguably though, all Google is going is automatically creating every single possible RFC5322 compliant alias of a given email address that you can create by inserting full stops in the bit before the @ sign and assigning them all to the same user, how they do that (almost certainly by stripping out the full stops from the LHS) isn't any concern of RFC5322. They're not actually creating any invalid email addresses or anything; just restricting the number of possible unique email addresses they can assign on their domain.
UNIX? They're not even circumcised! Savages!