Scammer Groups Are Exploiting Gmail 'Dot Accounts' For Online Fraud

Cyber-criminal groups are exploiting a Gmail feature to file for fraudulent unemployment benefits, file fake tax returns, and bypass trial periods for online services. From a report: The trick is an old one and has been used in the past. It refers to Gmail's "dot accounts," a feature of Gmail addresses that ignores dot characters inside Gmail usernames, regardless of their placement. For example, Google considers john.doe@gmail.com, jo.hn.doe@gmail.com, and johndoe@gmail.com as the same Gmail address. Regular users have been using this feature for years to to register free trial accounts at online services using the same email address, but spelled out in different ways.

In a report published today, the team at email security firm Agari says it saw criminal groups use dotted Gmail addresses in many more places all last year. In an example included in their report, Agari said it saw one group in particular use 56 "dotted" variations of a Gmail address to, among other things, submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit.

Plus (+) trick

[MightyYar]

Wait until they figure out the plus trick!

Re:Plus (+) trick

[aardvarkjoe]

Some web forms see the plus char as invalid.

In my experience it's most. And even if you get it past the client-side filter, it sometimes will cause the web site to break in interesting ways -- for instance, I've found cases where a site will accept a "+" address to register for an account, but then you can't actually use it to log in...

I tried using it for a while to help me filter emails and keep track of who was selling my address, but it's broken on too many sites to be worth even making the attempt. I could report the problem, but most site owners won't bother fixing it, and it defeats the purpose of having easy-to-use aliases if I have to contact support every time I want to use one.

I really wish that Google would offer a simple alias / disposable email service linked to Gmail that would work on most websites. Dot addresses could help (since most sites will allow a dot, at least), but they're pretty limited.

Re:Plus (+) trick

[MightyYar]

It absolutely works in gmail. sample+slashdot@gmail.com delivers to sample@gmail.com.

Re:Plus (+) trick

[MightyYar]

How is Google violating that standard? There is nothing in there that says you can't run post-delivery forwarding rules, or that users are limited to one email address each.

And that's why we have standards

[david.emery]

so that commercial companies like Google can ignore them, to achieve "a competitive advantage."

Re:And that's why we have standards

[Zocalo]

Yes, there is. RFC5322 defines what constitutes an email address, amongst other things. Arguably though, all Google is going is automatically creating every single possible RFC5322 compliant alias of a given email address that you can create by inserting full stops in the bit before the @ sign and assigning them all to the same user, how they do that (almost certainly by stripping out the full stops from the LHS) isn't any concern of RFC5322. They're not actually creating any invalid email addresses or anything; just restricting the number of possible unique email addresses they can assign on their domain.

And?

[pjt33]

Is there a story here, and if so what is it? That all you need to apply for a credit card is an email address?

Re:And?

[MightyYar]

The story is that companies are so lax on security that they let you do things like update card details without actually logging in. You could achieve the same effect by forwarding emails to your victim - this just takes that step out for you.

Re:And?

[Oswald+McWeany]

The story is that companies are so lax on security that they let you do things like update card details without actually logging in.

Indeed, whereas gmail might have made things more convenient for them; the fact is, there are countless ways you can create innumerable e-mail addresses. The story here isn't that they used e-mail; the story is that Financial Institutions are so desperate for business that they give out lines of credit based on only having an e-mail address.

That's really pretty stupid. I don't want to victim blame the companies here, clearly they were taken advantage of; but they clearly have some pretty dumb policies in place here to allow themselves to be victimized here.

Re:since when 1 person = 1 email address?

[Oswald+McWeany]

Why the heck are these companies assuming that just because the email is different it is a different person?
Anyone could just own a domain and setup an unlimited number of aliases to a single address without exploiting any stupid weirdness google created.

Yeah, I use about a dozen different e-mail addresses. I'm clearly not 12 people. I'm not even 12 personalities in one person.

Oh yes we are. No we're not... yes we are.

um

[cascadingstylesheet]

So what? It's a slightly easier way of getting additional email addresses.

If your business model depends on my not having more than one email, well ... not sure why that's my problem.

I had no idea it was so easy to be a "cyber criminal".

Wrong link

[ljw1004]

The article has the wrong link. The correct link to the original is https://jameshfisher.com/2018/...

Why does Slashdot do this all the time? Include links to dumb shallow copies of the original story that add nothing but instead take away necessary technical content? The article linked to in this case failed to actually explain how the scam works!

Re:Wrong link

[ledow]

Guarantee you that the submitter of the story benefits from that intermediate link, and that the Slashdot team know that.

Though, the "Slashdot effect" is literally non-existent nowadays, and this is just a tiny niche website now.

Root cause of fraud

[140Mandak262Jamuna]

US lending institutions consider the ability to lend to people at an instant to fund impulse purchases a big money maker.

They know they may not be able to complete a thorough verification before the impulse to borrow passes. So they rush to lend. They know they make mistakes and lend to fraudsters. But to them it is cost of doing business, net profit from impulse lending is so great they do this knowingly.

Then, the fraudulently lent loans get written off, sold for pennies for a dollar to the debt collectors. These people come after you, get default judgements, demanding that you prove you did not borrow the money. Even if you do to one debt collector, he sells the loan to the next debt collector and it goes on.

Small things might help here:

Make a law, "Lenders can not sell defaulted loans without fully proving the identity of the borrower.".

Get a couple of precedent judgement, "if the bank sold a loan based on stolen identity, they are liable for slander and all damage caused to the person whose identity was compromised".

Once you make the banks eat all the losses, and prevent damage to people whose identity is compromised, they will do the basic necessary things to verify identity.