Using Gmail "Dot Addresses" to Commit Fraud
In Gmail addresses, the dots don’t matter. The account “bruceschneier@gmail.com” maps to the exact same address as “bruce.schneier@gmail.com” and “b.r.u.c.e.schneier@gmail.com”—and so on. (Note: I own none of those addresses, if they are actually valid.)
This fact can be used to commit fraud:
Recently, we observed a group of BEC actors make extensive use of Gmail dot accounts to commit a large and diverse amount of fraud. Since early 2018, this group has used this fairly simple tactic to facilitate the following fraudulent activities:
- Submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit
- Register for 14 trial accounts with a commercial sales leads service to collect targeting data for BEC attacks
- File 13 fraudulent tax returns with an online tax filing service
- Submit 12 change of address requests with the US Postal Service
- Submit 11 fraudulent Social Security benefit applications
- Apply for unemployment benefits under nine identities in a large US state
- Submit applications for FEMA disaster assistance under three identities
In each case, the scammers created multiple accounts on each website within a short period of time, modifying the placement of periods in the email address for each account. Each of these accounts is associated with a different stolen identity, but all email from these services are received by the same Gmail account. Thus, the group is able to centralize and organize their fraudulent activity around a small set of email accounts, thereby increasing productivity and making it easier to continue their fraudulent behavior.
This isn’t a new trick. It has been previously documented as a way to trick Netflix users.
News article.
Slashdot thread.
Don • February 6, 2019 10:56 AM
You can also use a plus sign in the address after the username, before the @ to add a customizable code. bruce+blah@gmail.com and bruce+wellsfargo@gmail.com and bruce+wpa2@gmail.com all go to the address bruce@gmail.com and then filter into a folder based on what is after the plus sign. Infinite customizable email addresses, not even limited to how many dots you can put between letters (although you can count in binary with the dots and have hundreds of combinations, the plus code is a lot easier on the human mind).