Scammer Groups Are Exploiting Gmail 'Dot Accounts' For Online Fraud (zdnet.com) 117
Cyber-criminal groups are exploiting a Gmail feature to file for fraudulent unemployment benefits, file fake tax returns, and bypass trial periods for online services. From a report: The trick is an old one and has been used in the past. It refers to Gmail's "dot accounts," a feature of Gmail addresses that ignores dot characters inside Gmail usernames, regardless of their placement. For example, Google considers john.doe@gmail.com, jo.hn.doe@gmail.com, and johndoe@gmail.com as the same Gmail address. Regular users have been using this feature for years to to register free trial accounts at online services using the same email address, but spelled out in different ways.
In a report published today, the team at email security firm Agari says it saw criminal groups use dotted Gmail addresses in many more places all last year. In an example included in their report, Agari said it saw one group in particular use 56 "dotted" variations of a Gmail address to, among other things, submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit.
In a report published today, the team at email security firm Agari says it saw criminal groups use dotted Gmail addresses in many more places all last year. In an example included in their report, Agari said it saw one group in particular use 56 "dotted" variations of a Gmail address to, among other things, submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit.
Plus (+) trick (Score:3, Insightful)
Wait until they figure out the plus trick!
Re: (Score:2)
I've had some entertaining exchanges with tech help when they don't seem to comprehend that I'm reporting a bug in their website.
Re:Plus (+) trick (Score:4, Interesting)
Some web forms see the plus char as invalid.
In my experience it's most. And even if you get it past the client-side filter, it sometimes will cause the web site to break in interesting ways -- for instance, I've found cases where a site will accept a "+" address to register for an account, but then you can't actually use it to log in...
I tried using it for a while to help me filter emails and keep track of who was selling my address, but it's broken on too many sites to be worth even making the attempt. I could report the problem, but most site owners won't bother fixing it, and it defeats the purpose of having easy-to-use aliases if I have to contact support every time I want to use one.
I really wish that Google would offer a simple alias / disposable email service linked to Gmail that would work on most websites. Dot addresses could help (since most sites will allow a dot, at least), but they're pretty limited.
Re: (Score:2)
mailinator
Mailinator and similar services are useful in cases where you either don't want email at all, or only want it for a short time -- like for registering on a website that insists on you verifying your email address. It doesn't work for longer-term things where you want to keep receiving email.
What I would imagine as what I would like to see:
Have a button in GMail to create a new email address that automatically forwards to your email. A really simple approach would be to just automatically pick an address l
Re: (Score:2)
Some do, some don't. If they are standards-compliant, they accept the plus. Before I started using catchall addresses on my own domain, I used the plus trick to sign up with a unique email on every site. Occasionally I would run into a problem with a site not accepting a plus. I'd report the validation problem to somewhat clueless tech support sometimes, other times I wouldn't bother.
Re: (Score:2)
I just set up a subdomain for spam email. Whenever a company wants an address, it’s companyname@spam.mydomain.com, or, more recently, just @s.mydomain.com, since a number of sites reject addresses with “spam” in the name. My wife gets a different subdomain, as do each of my family members for whom I administrate email. Makes it easy for everyone to filter out the real spam and tell who’s selling their addresses/got hacked.
Re: (Score:2)
Doesn't work in gmail, I tried it years ago so I could track where spam might be coming from. That was disappointing.
Re: (Score:3)
It absolutely works in gmail. sample+slashdot@gmail.com delivers to sample@gmail.com.
Re: (Score:1)
Re: (Score:2)
I tried but the lameness filter keeps catching my ASCII screenshots.
Re: (Score:2)
Huh.. I might've been trying to create an alias of some sort in my account, I don't quite remember because that was around 12 years ago.. but your example works out fine, I gave it a shot and was successful in seeing the + bit in the "To" field. Which is all it needs, really.
Thanks!
Re: (Score:2)
Re: (Score:1)
All this stuff is permitted per the RFC
https://tools.ietf.org/html/rfc2822#page-12
Google doesn't get to decide this stuff.
Re: (Score:2)
I just glanced through page 12 of rfc2822. It does indeed allow the period, but implies that it is a significant character. That would make "stormreaver", "storm.reaver" and "s.t.o.r.m.r.e.a.v.e.r" three distinctly different names. Google treating them the same would therefore be a violation of the standard.
Re: (Score:1)
What Google is doing is preventing three different people signing up with those different names. I don't know why they did this, but it does reduce the risk of a missing period sending email to the wrong person - or someone masquerading as you by registering an address that is nearly visually identical.
When you, StormReaver, sign up with stormreaver@gmail Google effectively reserves storm.reaver@gmail, s.torm.reaver@gmail, etc., along with all addresses using a plus sign (e.g. stormreaver+slashdot@gmail), p
Re: (Score:2)
To use storm.reaver you would have had to sign up with storm.
That is specifically not true. As mentioned in the summary, if you sign up with stormreaver (or storm.reaver, or st.ormrea.ver), google will consider any of those emails as identical, and deliver them all to your mail box.
Re:Plus (+) trick (Score:4, Insightful)
How is Google violating that standard? There is nothing in there that says you can't run post-delivery forwarding rules, or that users are limited to one email address each.
Re: (Score:2)
And that's why we have standards (Score:3)
so that commercial companies like Google can ignore them, to achieve "a competitive advantage."
Re: (Score:2)
You won't like my domains' behavior, then - I use catchall addresses.
Re: (Score:2)
The standard that says FirstNameLastName is different from FirstName.LastName!
Re: (Score:2)
And that same standard says that FirstNameLastName is different from firstnamelastname
dave
Re: (Score:3, Informative)
Re: (Score:2)
They're not actually creating any invalid email addresses or anything; just restricting the number of possible unique email addresses they can assign on their domain.
Also causing hilarity to ensue.
My actual primary gmail is my name with dots in it.
Apparently a large proportion of the other mes on Earth either think or believe that they have my gmail address (without the dots), or else their correspondents do.
I get the most interesting and outrageous emails by mistake. My favorite was the playa who had had business cards made up with "my" address ...
Then again, maybe the dots have nothing to do with it ... surely when people try to register, Gmail tells them that myn
Re: (Score:1)
I have the same issue and suspect it may be correspondents "correcting" what they think is a wrong email.
My gmail has a dot between first and last name (my.name@gmail) . I've received more than a few emails for a chap in the UK at (myname.gmail). I have reason to suspect that his actual email address is (mynam@gmail) and that he's either giving out the wrong address or correspondents are assuming the missing terminal "e" is inadvertent and adding it.
Re: (Score:2)
It's probably just some retard who doesn't know their own email address. I've got a myname@outlook.com address that someone, presumably with the same name as me, thinks they own (probably because they use outlook and think that means outlook.com is their address).
I regularly get emails destined for him. He's some old coot in the UK and has daughters / granddughters who play youth soccer.
One day he bought a Kindle Fire and registered it to my email address. Amazon doesn't care to validate it, so I was get
Re: (Score:1)
Same problem. I have a "WrongNumber" folder where I store them as evidence in case some site eventually tries to make me comply with a contract signed by "other me". >95% of the bogus emails I get have no verification link, and >99% don't have a "this isn't me" link. If you try to mail them back it takes 3-4 exchanges before they understand the dot rule, "But your mail has a dot, we didn't send to a dot." Could save so many headaches if they just implement double opt-in.
Re: (Score:1)
Re: (Score:2)
Literally nothing about this violates any standard whatsoever or is in any way an actual problem. The fact that a person regardless of their ethical standards can have multiple email accounts isn't relevant at all. I have had catchall email addresses since before Google existed.
Re: (Score:1)
And? (Score:3)
Is there a story here, and if so what is it? That all you need to apply for a credit card is an email address?
Re: (Score:3)
The story is that companies are so lax on security that they let you do things like update card details without actually logging in. You could achieve the same effect by forwarding emails to your victim - this just takes that step out for you.
Re: (Score:3)
The story is that companies are so lax on security that they let you do things like update card details without actually logging in.
Indeed, whereas gmail might have made things more convenient for them; the fact is, there are countless ways you can create innumerable e-mail addresses. The story here isn't that they used e-mail; the story is that Financial Institutions are so desperate for business that they give out lines of credit based on only having an e-mail address.
That's really pretty stupid. I don't want to victim blame the companies here, clearly they were taken advantage of; but they clearly have some pretty dumb policies in
Re: (Score:1)
I know it's wrong, but if a bank will give out free money in exchange for only an email address, I think that they kind of deserve to get screwed.
Re: (Score:2)
This is happening to me left and right. I've been the victim of repeated identity theft because of my name. Martin Espinoza isn't exactly the John Smith of Latin America, but it's fucking close. Maybe Mark Smith. And perhaps for the same reason, my email with the dot removed is also being heavily abused. I used to assume it was just some butt-hurt slashbot trolling me, especially since there was a rash of crap that I figured nobody would sign up for on purpose, and maybe there actually has been some of that
Re: (Score:2, Interesting)
me thinks I know why you get all that E-mail and get victimized by identity theft all the time...You respond.
Mostly, I don't. And those who I do respond to, I'm not giving any additional information to them, so I'm not helping them steal my identity.
DUMP SPAM into the trash. Don't answer, just trash can it.
Yes, that's what I do with spam. Thanks for nothing, AC.
It's quite simple, my identity gets stolen more than those of other people because of my hispanic name. People who have the same name have used my SSN for work, or to buy a car they never paid off. Then a court in Nevada City, CA granted a judgement against my SSN based on that person's debt. The evidence of debt
Re: And? (Score:2)
No, that's not it at all!
The technical story is explained at the original site https://jameshfisher.com/2018/... [jameshfisher.com] along with good impact analysis and recommendations
Re: (Score:1)
On the other hand, I think he is wrong to find Gmail that most at fault instead of the users and/or Netflix.
Look at his numbered outline for how the phishing scheme works. In step 6, this is where the other parties have failed. You shouldn't be able to go from an email to the behind-authenticated section of an accoun
Re: (Score:2)
Meh. I'm split here... The blame should be placed on USERS, followed by COMPANIES that allow LINKS with a hash to BYPASS AUTHENTICATION.
The original article also has a link to analysis by Bruce Schneier https://www.schneier.com/blog/... [schneier.com] where he says "it's an example of two systems without a security vulnerability coming together to create a security vulnerability".
I agree that having users validate their email addresses before using it for the first time would solve the problem. I've always been irritated by the companies that do so, imagining they did it solely to make sure that someone used a real email address rather than a throwaway sp
Re: And? (Score:2)
Re: (Score:2)
He never explained why email verification upfront would fail to solve the issue. I still believe it is a problem of the sites or services in question.
https://www.schneier.com/blog/... [schneier.com]
Bruce Schneier's analysis was that "it's an example of two systems without a security vulnerability coming together to create a security vulnerability."
Re: (Score:1)
Re: (Score:2)
He never explained why email verification upfront would fail to solve the issue. I still believe it is a problem of the sites or services in question.
https://www.schneier.com/blog/... [schneier.com]
Bruce Schneier's analysis was that "it's an example of two systems without a security vulnerability coming together to create a security vulnerability."
I respect Bruce a lot, and I think from a practical standpoint, Gmail (Google) absolutely should make those dot-aliases opt-in. But this is still 100% Netflix's problem to solve. The problem would exist if Gmail did not allow the dot aliases, you would just need to find some other predictable pattern of email aliases (like a large organization where everybody is granted both @longcompanydomain.com and @shortcompanydomain.com email addresses).
Stop and think. If your service will be sending payment related e
Re: (Score:2)
I still don't get it. How would Eve be able to sign up to Netflix with an email address that she doesn't control? And no matter how this works, why on earth would you think it is Google's fault?
Because, when you sign up for Netflix, you create a username and password - then, after the account has been created you provide an email address which Netflix does not verify (they send a "Welcome to Netflix" message to it, but the scam target might not notice that), but which can be used for password recovery. Then, to exacerbate the problem, Netflix sends payment update emails to the email address on the account which allow changing payment info without otherwise logging in. IOW, Netflix treats the unver
Re: WTF? (Score:2)
since when 1 person = 1 email address? (Score:1)
Why the heck are these companies assuming that just because the email is different it is a different person?
Anyone could just own a domain and setup an unlimited number of aliases to a single address without exploiting any stupid weirdness google created.
Re:since when 1 person = 1 email address? (Score:5, Funny)
Why the heck are these companies assuming that just because the email is different it is a different person?
Anyone could just own a domain and setup an unlimited number of aliases to a single address without exploiting any stupid weirdness google created.
Yeah, I use about a dozen different e-mail addresses. I'm clearly not 12 people. I'm not even 12 personalities in one person.
Oh yes we are. No we're not... yes we are.
Re: (Score:2)
I'm not even 12 personalities in one person.
Are you certain? I mean, is anyone of your "yous" certain?
Re: (Score:2)
I hate being bipolar, it's awesome!
um (Score:3)
So what? It's a slightly easier way of getting additional email addresses.
If your business model depends on my not having more than one email, well ... not sure why that's my problem.
I had no idea it was so easy to be a "cyber criminal".
Wrong link (Score:4, Informative)
The article has the wrong link. The correct link to the original is https://jameshfisher.com/2018/... [jameshfisher.com]
Why does Slashdot do this all the time? Include links to dumb shallow copies of the original story that add nothing but instead take away necessary technical content? The article linked to in this case failed to actually explain how the scam works!
Re:Wrong link (Score:4, Insightful)
Guarantee you that the submitter of the story benefits from that intermediate link, and that the Slashdot team know that.
Though, the "Slashdot effect" is literally non-existent nowadays, and this is just a tiny niche website now.
Re: (Score:2)
Re: (Score:1)
UK person, on a UK keyboard, on a UK-language Windows machine with a UK-language mainstream browser (Chrome, latest stable).
And I still get this crap:
£
Every time I put in a UK pound sign.
Every other website, no problem at all. SoylentNews (based on MUCH newer Slashcode), no problem at all. Literally no weird settings, multiple computers, etc. etc.
Oh, and I paid to "Disable Advertising" and I still get adverts anyway and the box randomly unchecks itself.
Slashdot is basically unmaintained from w
What is the problem exactly? (Score:2)
I don't see any problem here. If you can apply for credit using only a email address then it's the company own fault. You don't give credit out to just an email address. And for registering free trial accounts, what's the problem here? You give out trials, so what if somebody gets many trials? Who cares?
Root cause of fraud (Score:5, Insightful)
They know they may not be able to complete a thorough verification before the impulse to borrow passes. So they rush to lend. They know they make mistakes and lend to fraudsters. But to them it is cost of doing business, net profit from impulse lending is so great they do this knowingly.
Then, the fraudulently lent loans get written off, sold for pennies for a dollar to the debt collectors. These people come after you, get default judgements, demanding that you prove you did not borrow the money. Even if you do to one debt collector, he sells the loan to the next debt collector and it goes on.
Small things might help here:
Make a law, "Lenders can not sell defaulted loans without fully proving the identity of the borrower.".
Get a couple of precedent judgement, "if the bank sold a loan based on stolen identity, they are liable for slander and all damage caused to the person whose identity was compromised".
Once you make the banks eat all the losses, and prevent damage to people whose identity is compromised, they will do the basic necessary things to verify identity.
Re: (Score:2)
Re: (Score:2)
Scammer Groups are Using Multiple Email Accounts! (Score:1)
Email address is not SSN! (Score:2)
Who on earth thought it was a good idea to use an email address as a unique identifier for government programs? That's what Social Security Numbers are for.
The premise of this article is not right!! (Score:2)
"Regular users" (Score:2)
"Regular users have been using this feature for years to to register free trial accounts at online services using the same email address, but spelled out in different ways."
vs
"one group in particular use [sic] 56 'dotted' variations of a Gmail address to...submit 48 credit card applications...resulting in the approval of at least $65,000 in fraudulent credit."
I'm not sure I see the difference. Most free trial accounts are limited to one/person...
Re: (Score:2)