Connect with us

Internet

Gmail Dot Feature Exploited to Commit Credit Fraud and More: Report

Published

on

Gmail offers a nifty “dot” feature which redirects all emails to the same account in case users have mistakenly added a dot or a period in the recipient’s email address. But cybercriminals are exploiting the same feature to commit crimes such as filing fake tax returns, availing financial benefits from government agencies, extending the trial period of online services, and credit fraud among others. As per a report, the bad actors have been exploiting the feature to commit a diverse array of scams since early 2018.

The Gmail dot feature fraud, that was discovered by security firm Agari and was first reported by Axios, was primarily employed to commit BEC (Business Email Compromise) scams. So, how did this happen? The Gmail dot feature ensures that emails intended for a particular recipient reaches them if the sender accidentally adds (or forgets) a dot or period in the username. For example, if someone intends to send an email to abc@gmail.comand mistakenly sends it to a.bc@gmail.com, the email will be delivered to the intended recipient who owns the correct username, or vice versa – if someone intends to send an email to a.bc@gmail.com, and mistakenly sends it to abc@gmail.com.

Since Gmail is the only major service provider to follow this practice of making these email addresses indistinguishable, service providers continue to treat each dot variant of the email address as a separate one, and indirectly, a different individual. While many of us have used this Gmail ‘feature’ to register ‘different’ emails to the same service provider, such as Netflix, it appears 

The dot variants of a username used to file fake tax returns
Photo Credit: Agari

This vulnerability makes the process of scaling up a fraud much easier. As per the findings of security experts, a group of cybercriminals exploited the Gmail dot feature to avail around $65,000 (roughly Rs. 46,52,400) in credits from four banking institutions in the US. Moreover, they reportedly registered 14 different trial accounts with commercial services, filed 13 fraudulent tax returns before an online tax filing service and submitted 12 address change requests with the US postal service. Moreover, the feature was also misused to avail financial allowances such as social security benefits as well as disaster assistance and unemployment benefits under different identities.

Cybersecurity experts identified a total of 56 variants of an email address belonging to a single individual but differentiated by the placement of a dot in the username to bamboozle the service providers. And since all the emails intended for a supposedly different user were delivered to the same account, thanks to the Gmail dot feature, it became very easy for the bad actors to manage their fraudulent activities. 

Separately, Crane Hassold, Senior Director of Threat Research at Agari told ZDNet that the Gmail dot feature is only one of several Gmail features that can be used by scammers, such as the plus sign (where username+randomword@gmail.com redirects emails to username@gmail.com), and the legacy googlemail.com domain. While exploits on these features haven’t yet been spotted in the wild, Hassold says they are just as efficient as the Gmail dot feature. 

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Internet

Limited Galaxy Note 20 Mystic Red, Galaxy Z Flip 5G Mystic White arrive

Published

on

There used to be a time when you could easily change your phone’s back colors and design without having to slap on a case or peel off a sticker. These days, you’re often stuck with what you first buy, especially with a foldable phone with more limited options for cases. The color choices for Samsung’s latest flagships are, unfortunately, not … Continue reading

Continue Reading

Internet

Hacker sells Microsoft, Office 365 credentials of C-level executives

Published

on

Data breaches are neither new nor spectacular, at least until the names and accounts of higher-ups get dragged into the news. For example, a recent Twitter hacking incident that involved the accounts of very high-profile users made it big in the news and led to arrests faster than your usual hacking. Now it seems that the accounts of possibly hundreds … Continue reading

Continue Reading

Internet

iPhone 12 on DxOMark falls way behind its siblings

Published

on

Apple’s new iPhones this year might have 5G support as their headlining feature but they might be better remembered for their photography capabilities. At least as far as the biggest and most expensive iPhone 12 Pro Max is concerned, Apple is catching up with the top performers in DxOMark’s benchmarks. Not all 2020 iPhones are created equal and not all … Continue reading

Continue Reading

Trending