Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Google Security IT

Scammer Groups Are Exploiting Gmail 'Dot Accounts' For Online Fraud (zdnet.com) 117

Cyber-criminal groups are exploiting a Gmail feature to file for fraudulent unemployment benefits, file fake tax returns, and bypass trial periods for online services. From a report: The trick is an old one and has been used in the past. It refers to Gmail's "dot accounts," a feature of Gmail addresses that ignores dot characters inside Gmail usernames, regardless of their placement. For example, Google considers john.doe@gmail.com, jo.hn.doe@gmail.com, and johndoe@gmail.com as the same Gmail address. Regular users have been using this feature for years to to register free trial accounts at online services using the same email address, but spelled out in different ways.

In a report published today, the team at email security firm Agari says it saw criminal groups use dotted Gmail addresses in many more places all last year. In an example included in their report, Agari said it saw one group in particular use 56 "dotted" variations of a Gmail address to, among other things, submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit.

This discussion has been archived. No new comments can be posted.

Scammer Groups Are Exploiting Gmail 'Dot Accounts' For Online Fraud

Comments Filter:
  • Plus (+) trick (Score:3, Insightful)

    by MightyYar ( 622222 ) on Wednesday February 06, 2019 @09:03AM (#58078140)

    Wait until they figure out the plus trick!

    • Doesn't work in gmail, I tried it years ago so I could track where spam might be coming from. That was disappointing.

      • It absolutely works in gmail. sample+slashdot@gmail.com delivers to sample@gmail.com.

        • Huh.. I might've been trying to create an alias of some sort in my account, I don't quite remember because that was around 12 years ago.. but your example works out fine, I gave it a shot and was successful in seeing the + bit in the "To" field. Which is all it needs, really.

          Thanks!

    • Or, you know, the "registering multiple free e-mail accounts" trick. Dots and pluses and multiple accounts are not the problem here. They have always been known and possible.
    • by Anonymous Coward

      All this stuff is permitted per the RFC
      https://tools.ietf.org/html/rfc2822#page-12

      Google doesn't get to decide this stuff.

      • I just glanced through page 12 of rfc2822. It does indeed allow the period, but implies that it is a significant character. That would make "stormreaver", "storm.reaver" and "s.t.o.r.m.r.e.a.v.e.r" three distinctly different names. Google treating them the same would therefore be a violation of the standard.

        • What Google is doing is preventing three different people signing up with those different names. I don't know why they did this, but it does reduce the risk of a missing period sending email to the wrong person - or someone masquerading as you by registering an address that is nearly visually identical.

          When you, StormReaver, sign up with stormreaver@gmail Google effectively reserves storm.reaver@gmail, s.torm.reaver@gmail, etc., along with all addresses using a plus sign (e.g. stormreaver+slashdot@gmail), p

      • Re:Plus (+) trick (Score:4, Insightful)

        by MightyYar ( 622222 ) on Wednesday February 06, 2019 @12:23PM (#58079110)

        How is Google violating that standard? There is nothing in there that says you can't run post-delivery forwarding rules, or that users are limited to one email address each.

    • Some web sites don't allow it. Others are worse in that they allow you to register with a + in your email address, but other parts of their web site treat the + as invalid.
  • by david.emery ( 127135 ) on Wednesday February 06, 2019 @09:04AM (#58078146)

    so that commercial companies like Google can ignore them, to achieve "a competitive advantage."

    • You won't like my domains' behavior, then - I use catchall addresses.

    • by GoRK ( 10018 )

      Literally nothing about this violates any standard whatsoever or is in any way an actual problem. The fact that a person regardless of their ethical standards can have multiple email accounts isn't relevant at all. I have had catchall email addresses since before Google existed.

    • What standard is the Gmail dot feature ignoring? And what "competitive advantage" does it give them?
  • by pjt33 ( 739471 ) on Wednesday February 06, 2019 @09:04AM (#58078150)

    Is there a story here, and if so what is it? That all you need to apply for a credit card is an email address?

    • The story is that companies are so lax on security that they let you do things like update card details without actually logging in. You could achieve the same effect by forwarding emails to your victim - this just takes that step out for you.

      • The story is that companies are so lax on security that they let you do things like update card details without actually logging in.

        Indeed, whereas gmail might have made things more convenient for them; the fact is, there are countless ways you can create innumerable e-mail addresses. The story here isn't that they used e-mail; the story is that Financial Institutions are so desperate for business that they give out lines of credit based on only having an e-mail address.

        That's really pretty stupid. I don't want to victim blame the companies here, clearly they were taken advantage of; but they clearly have some pretty dumb policies in

        • by Anonymous Coward

          I know it's wrong, but if a bank will give out free money in exchange for only an email address, I think that they kind of deserve to get screwed.

    • This is happening to me left and right. I've been the victim of repeated identity theft because of my name. Martin Espinoza isn't exactly the John Smith of Latin America, but it's fucking close. Maybe Mark Smith. And perhaps for the same reason, my email with the dot removed is also being heavily abused. I used to assume it was just some butt-hurt slashbot trolling me, especially since there was a rash of crap that I figured nobody would sign up for on purpose, and maybe there actually has been some of that

    • No, that's not it at all!

      The technical story is explained at the original site https://jameshfisher.com/2018/... [jameshfisher.com] along with good impact analysis and recommendations

      • Meh. I'm split here. On one hand, I totally agree with his recommendation that Gmail lets people opt-out of catchall or at least provide a phishing warning similar to his provided mock-up.
        On the other hand, I think he is wrong to find Gmail that most at fault instead of the users and/or Netflix.
        Look at his numbered outline for how the phishing scheme works. In step 6, this is where the other parties have failed. You shouldn't be able to go from an email to the behind-authenticated section of an accoun
        • by ljw1004 ( 764174 )

          Meh. I'm split here... The blame should be placed on USERS, followed by COMPANIES that allow LINKS with a hash to BYPASS AUTHENTICATION.

          The original article also has a link to analysis by Bruce Schneier https://www.schneier.com/blog/... [schneier.com] where he says "it's an example of two systems without a security vulnerability coming together to create a security vulnerability".

          I agree that having users validate their email addresses before using it for the first time would solve the problem. I've always been irritated by the companies that do so, imagining they did it solely to make sure that someone used a real email address rather than a throwaway sp

      • He never explained why email verification upfront would fail to solve the issue. I still believe it is a problem of the sites or services in question.
        • by ljw1004 ( 764174 )

          He never explained why email verification upfront would fail to solve the issue. I still believe it is a problem of the sites or services in question.

          https://www.schneier.com/blog/... [schneier.com]

          Bruce Schneier's analysis was that "it's an example of two systems without a security vulnerability coming together to create a security vulnerability."

          • Ah, much better link. And I see your reply to me above with that very link, thank you!
          • He never explained why email verification upfront would fail to solve the issue. I still believe it is a problem of the sites or services in question.

            https://www.schneier.com/blog/... [schneier.com]

            Bruce Schneier's analysis was that "it's an example of two systems without a security vulnerability coming together to create a security vulnerability."

            I respect Bruce a lot, and I think from a practical standpoint, Gmail (Google) absolutely should make those dot-aliases opt-in. But this is still 100% Netflix's problem to solve. The problem would exist if Gmail did not allow the dot aliases, you would just need to find some other predictable pattern of email aliases (like a large organization where everybody is granted both @longcompanydomain.com and @shortcompanydomain.com email addresses).

            Stop and think. If your service will be sending payment related e

  • by Anonymous Coward

    Why the heck are these companies assuming that just because the email is different it is a different person?
    Anyone could just own a domain and setup an unlimited number of aliases to a single address without exploiting any stupid weirdness google created.

  • by cascadingstylesheet ( 140919 ) on Wednesday February 06, 2019 @09:26AM (#58078236) Journal

    So what? It's a slightly easier way of getting additional email addresses.

    If your business model depends on my not having more than one email, well ... not sure why that's my problem.

    I had no idea it was so easy to be a "cyber criminal".

  • Wrong link (Score:4, Informative)

    by ljw1004 ( 764174 ) on Wednesday February 06, 2019 @09:50AM (#58078350)

    The article has the wrong link. The correct link to the original is https://jameshfisher.com/2018/... [jameshfisher.com]

    Why does Slashdot do this all the time? Include links to dumb shallow copies of the original story that add nothing but instead take away necessary technical content? The article linked to in this case failed to actually explain how the scam works!

    • Re:Wrong link (Score:4, Insightful)

      by ledow ( 319597 ) on Wednesday February 06, 2019 @10:57AM (#58078726) Homepage

      Guarantee you that the submitter of the story benefits from that intermediate link, and that the Slashdot team know that.

      Though, the "Slashdot effect" is literally non-existent nowadays, and this is just a tiny niche website now.

      • You mean people aren't hosting their websites on discarded HP desktops on a dual ISDN anymore, and can actually serve up 100,000 page views like it's nothing? Technology, huh?
  • I don't see any problem here. If you can apply for credit using only a email address then it's the company own fault. You don't give credit out to just an email address. And for registering free trial accounts, what's the problem here? You give out trials, so what if somebody gets many trials? Who cares?

  • by 140Mandak262Jamuna ( 970587 ) on Wednesday February 06, 2019 @10:18AM (#58078492) Journal
    US lending institutions consider the ability to lend to people at an instant to fund impulse purchases a big money maker.

    They know they may not be able to complete a thorough verification before the impulse to borrow passes. So they rush to lend. They know they make mistakes and lend to fraudsters. But to them it is cost of doing business, net profit from impulse lending is so great they do this knowingly.

    Then, the fraudulently lent loans get written off, sold for pennies for a dollar to the debt collectors. These people come after you, get default judgements, demanding that you prove you did not borrow the money. Even if you do to one debt collector, he sells the loan to the next debt collector and it goes on.

    Small things might help here:

    Make a law, "Lenders can not sell defaulted loans without fully proving the identity of the borrower.".

    Get a couple of precedent judgement, "if the bank sold a loan based on stolen identity, they are liable for slander and all damage caused to the person whose identity was compromised".

    Once you make the banks eat all the losses, and prevent damage to people whose identity is compromised, they will do the basic necessary things to verify identity.

    • I feel sorry for no one involved here. No need for a law.
  • This report is no different than saying, "Scammer Groups are Using Multiple Email Accounts for Online Fraud!". The gmail dot feature makes it a tiny bit easier for them, but it's no different than using multiple fake email accounts. This is non-news.
  • ... file fraudulent unemployment benefits, file fake tax returns...

    Who on earth thought it was a good idea to use an email address as a unique identifier for government programs? That's what Social Security Numbers are for.

  • I always log in to a firstname.lastname@gmail.com but if I try to test send an email to firstnamelastname@gmail.com then I do not receive the email. So my point is in basic testing this dotted theory does not work. Also if I try to log in to the non dotted email it does not let me sign in. I assume it's this way for everyone?
  • "Regular users have been using this feature for years to to register free trial accounts at online services using the same email address, but spelled out in different ways."
    vs
    "one group in particular use [sic] 56 'dotted' variations of a Gmail address to...submit 48 credit card applications...resulting in the approval of at least $65,000 in fraudulent credit."

    I'm not sure I see the difference. Most free trial accounts are limited to one/person...

  • Comment removed based on user account deletion

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...