Slashdot Mirror

← Back to Stories (view on slashdot.org)

Scammer Groups Are Exploiting Gmail 'Dot Accounts' For Online Fraud (zdnet.com)

Posted by msmash on from the security-woes dept.

Cyber-criminal groups are exploiting a Gmail feature to file for fraudulent unemployment benefits, file fake tax returns, and bypass trial periods for online services. From a report: The trick is an old one and has been used in the past. It refers to Gmail's "dot accounts," a feature of Gmail addresses that ignores dot characters inside Gmail usernames, regardless of their placement. For example, Google considers john.doe@gmail.com, jo.hn.doe@gmail.com, and johndoe@gmail.com as the same Gmail address. Regular users have been using this feature for years to to register free trial accounts at online services using the same email address, but spelled out in different ways.

In a report published today, the team at email security firm Agari says it saw criminal groups use dotted Gmail addresses in many more places all last year. In an example included in their report, Agari said it saw one group in particular use 56 "dotted" variations of a Gmail address to, among other things, submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit.

4 of 117 comments (clear)

  1. Plus (+) trick by MightyYar · · Score: 2, Insightful

    Wait until they figure out the plus trick!

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    1. Re:Plus (+) trick by MightyYar · · Score: 3, Insightful

      How is Google violating that standard? There is nothing in there that says you can't run post-delivery forwarding rules, or that users are limited to one email address each.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  2. Root cause of fraud by 140Mandak262Jamuna · · Score: 5, Insightful
    US lending institutions consider the ability to lend to people at an instant to fund impulse purchases a big money maker.

    They know they may not be able to complete a thorough verification before the impulse to borrow passes. So they rush to lend. They know they make mistakes and lend to fraudsters. But to them it is cost of doing business, net profit from impulse lending is so great they do this knowingly.

    Then, the fraudulently lent loans get written off, sold for pennies for a dollar to the debt collectors. These people come after you, get default judgements, demanding that you prove you did not borrow the money. Even if you do to one debt collector, he sells the loan to the next debt collector and it goes on.

    Small things might help here:

    Make a law, "Lenders can not sell defaulted loans without fully proving the identity of the borrower.".

    Get a couple of precedent judgement, "if the bank sold a loan based on stolen identity, they are liable for slander and all damage caused to the person whose identity was compromised".

    Once you make the banks eat all the losses, and prevent damage to people whose identity is compromised, they will do the basic necessary things to verify identity.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  3. Re:Wrong link by ledow · · Score: 3, Insightful

    Guarantee you that the submitter of the story benefits from that intermediate link, and that the Slashdot team know that.

    Though, the "Slashdot effect" is literally non-existent nowadays, and this is just a tiny niche website now.