Slashdot Mirror

← Back to Stories (view on slashdot.org)

Scammer Groups Are Exploiting Gmail 'Dot Accounts' For Online Fraud (zdnet.com)

Posted by msmash on from the security-woes dept.

Cyber-criminal groups are exploiting a Gmail feature to file for fraudulent unemployment benefits, file fake tax returns, and bypass trial periods for online services. From a report: The trick is an old one and has been used in the past. It refers to Gmail's "dot accounts," a feature of Gmail addresses that ignores dot characters inside Gmail usernames, regardless of their placement. For example, Google considers john.doe@gmail.com, jo.hn.doe@gmail.com, and johndoe@gmail.com as the same Gmail address. Regular users have been using this feature for years to to register free trial accounts at online services using the same email address, but spelled out in different ways.

In a report published today, the team at email security firm Agari says it saw criminal groups use dotted Gmail addresses in many more places all last year. In an example included in their report, Agari said it saw one group in particular use 56 "dotted" variations of a Gmail address to, among other things, submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit.

6 of 117 comments (clear)

  1. Re:since when 1 person = 1 email address? by Oswald+McWeany · · Score: 4, Funny

    Why the heck are these companies assuming that just because the email is different it is a different person?
    Anyone could just own a domain and setup an unlimited number of aliases to a single address without exploiting any stupid weirdness google created.

    Yeah, I use about a dozen different e-mail addresses. I'm clearly not 12 people. I'm not even 12 personalities in one person.

    Oh yes we are. No we're not... yes we are.

    --
    "That's the way to do it" - Punch
  2. Wrong link by ljw1004 · · Score: 3, Informative

    The article has the wrong link. The correct link to the original is https://jameshfisher.com/2018/...

    Why does Slashdot do this all the time? Include links to dumb shallow copies of the original story that add nothing but instead take away necessary technical content? The article linked to in this case failed to actually explain how the scam works!

    1. Re:Wrong link by ledow · · Score: 3, Insightful

      Guarantee you that the submitter of the story benefits from that intermediate link, and that the Slashdot team know that.

      Though, the "Slashdot effect" is literally non-existent nowadays, and this is just a tiny niche website now.

  3. Re:Plus (+) trick by aardvarkjoe · · Score: 3, Interesting

    Some web forms see the plus char as invalid.

    In my experience it's most. And even if you get it past the client-side filter, it sometimes will cause the web site to break in interesting ways -- for instance, I've found cases where a site will accept a "+" address to register for an account, but then you can't actually use it to log in...

    I tried using it for a while to help me filter emails and keep track of who was selling my address, but it's broken on too many sites to be worth even making the attempt. I could report the problem, but most site owners won't bother fixing it, and it defeats the purpose of having easy-to-use aliases if I have to contact support every time I want to use one.

    I really wish that Google would offer a simple alias / disposable email service linked to Gmail that would work on most websites. Dot addresses could help (since most sites will allow a dot, at least), but they're pretty limited.

    --

    How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
  4. Root cause of fraud by 140Mandak262Jamuna · · Score: 5, Insightful
    US lending institutions consider the ability to lend to people at an instant to fund impulse purchases a big money maker.

    They know they may not be able to complete a thorough verification before the impulse to borrow passes. So they rush to lend. They know they make mistakes and lend to fraudsters. But to them it is cost of doing business, net profit from impulse lending is so great they do this knowingly.

    Then, the fraudulently lent loans get written off, sold for pennies for a dollar to the debt collectors. These people come after you, get default judgements, demanding that you prove you did not borrow the money. Even if you do to one debt collector, he sells the loan to the next debt collector and it goes on.

    Small things might help here:

    Make a law, "Lenders can not sell defaulted loans without fully proving the identity of the borrower.".

    Get a couple of precedent judgement, "if the bank sold a loan based on stolen identity, they are liable for slander and all damage caused to the person whose identity was compromised".

    Once you make the banks eat all the losses, and prevent damage to people whose identity is compromised, they will do the basic necessary things to verify identity.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  5. Re:Plus (+) trick by MightyYar · · Score: 3, Insightful

    How is Google violating that standard? There is nothing in there that says you can't run post-delivery forwarding rules, or that users are limited to one email address each.

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.