Cyber-criminals are taking advantage of a little-known feature in Gmail to escalate their scam operations more efficiently, according to new research from Agari.
The email security vendor claimed in a blog post that the problem stems from what it describes as “dot accounts.”
This relates to a decision by Google to allow Gmail users to own “all dotted versions” of their address.
In the example given by Agari senior threat researcher, Ronnie Tokazowski, if a user registers a domain as "badguy007[at]gmail.com" they could then use multiple versions of that same address, placing the dot in different places before the @, such as "b.a.d.g.u.y.007[at]gmail.com," "bad.guy.007[at]gmail.com" and "ba.dg.uy.007[at]gmail.com."
“While all dot variants of a Gmail account direct all email to the same inbox, a vast majority of the rest of the internet treats each variant as a distinctly separate email address, associated with a unique separate account and identity,” he continued.
“For example, if I sign up for a Netflix account using the email address badguy007[at]gmail.com and then again with b.adg.uy007[at]gmail.com, Netflix — like most other online services — would think that these are two different accounts linked to two different people. This is where, and how, cyber-criminals are able to take advantage.”
Fraudsters are therefore able to create multiple accounts with a single provider that all direct back to one email inbox, making their scams quicker and easier to scale and manage.
Agari said it recently spotted email scammers using Gmail ‘dot accounts’ to carry out widespread fraud.
They submitted 48 credit card applications at four US financial institutions, with at least $65,000 in fraudulent credit approved.
They also: filed 13 fraudulent tax returns, submitted 12 change of address requests with the US Postal Service, submitted 11 fraudulent Social Security benefit applications, applied for unemployment benefits under nine identities in a single US state and submitted applications for FEMA disaster assistance under three identities.
“In total, the group used 56 different dot variants of a single Gmail email address to register accounts on websites used for fraudulent purposes,” said Tokazowski.
He warned that scammers could also make use of the fact that @gmail and @googlemail addresses are routed to the same inbox, potentially doubling the permutations they have on offer.
Organizations were urged to check for excessive use of dots in newly created accounts to help mitigate this risk.