BEC Scammers are exploiting Gmail's ‘Dot accounts’ for various fraudulent activities

• Scammers are exploiting Gmail feature ‘Dot accounts’ to perform various fraudulent activities such as filing for fraudulent unemployment benefits, filing fake tax returns, and more.
• Gmail's ‘Dot accounts’ is a feature of Gmail addresses that ignores dot characters inside Gmail usernames, regardless of their placement.

Researchers recently observed that Business Email Compromise (BEC) scammers are exploiting a Gmail feature ‘Dot accounts’ to perform various fraudulent activities. Gmail's ‘Dot accounts’ is a feature of Gmail addresses that ignores dot characters inside Gmail usernames, regardless of their placement.

Scammers are leveraging this feature to create multiple accounts on a single website which then direct all communication to a single Gmail account.

For example, Google considers red.apple[at]gmail[.]com, redap.ple[at]gmail[.]com, red.app.le[at]gmail[.]com, and redapple[at]gmail[.]com as same and emails sent to any of these email addresses will arrive at the same email account.

Malicious activities

Scammers are taking advantage of this feature and creating multilple email accounts to perform various fraudulent activities such as filing for fraudulent unemployment benefits, filing fake tax returns, bypassing trial periods for online services, and more.

Email security firm Agari in its blog described one of the scams where a scammer was able to submit 22 separate applications using different email accounts and successfully opened over $65,000 in fraudulent credit cards at a single financial institution.

Dotted email accounts to trick Netflix

Recently, a scammer group used Gmail ‘Dot accounts’ to trick Netflix account owners into adding card details to scammers' accounts. The legitimate Netflix notification ‘update your card details’ would arrive in the real user's inbox, who would later update the scammer's account unknowingly.

The reason why this trick works is that ‘Dot accounts’ is a Gmail feature which is not found with many other online email providers and online websites like Netflix, Amazon,eBay, and government portals, consider each dotted email address as a different account.

56 different dot variants

The Agari research team observed a particular scammer group using 56 variations of ‘Dot accounts’ to perform various frauds,

• Submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit
• Register for 14 trial accounts with a commercial sales leads service to collect targeting data for BEC attacks
• File 13 fraudulent tax returns with an online tax filing service
• Submit 12 change of address requests with the US Postal Service
• Submit 11 fraudulent Social Security benefit applications
• Apply for unemployment benefits under nine identities in a large US state
• Submit applications for FEMA disaster assistance under three identities

“In each case, the scammers created multiple accounts on each website within a short period of time, modifying the placement of periods in the email address for each account. Each of these accounts is associated with a different stolen identity, but all email from these services are received by the same Gmail account.” Researchers from Agari explained.

“Thus, the group is able to centralize and organize their fraudulent activity around a small set of email accounts, thereby increasing productivity and making it easier to continue their fraudulent behavior,” Researchers added.

Two other exploitable Gmail features

Apart from the ‘Dot accounts’ feature, Gmail also has two other features that scammers could potentially exploit in the future.

• One feature is the plus sign. For example, a Gmail address like username+randomword@gmail.com will always redirect emails back to username@gmail.com.
• The other feature is the legacy @googlemail.com domain. All emails sent to username@googlemail.com will always arrive at username@gmail.com.

“None of these two additional techniques have been spotted in the wild, just yet,” Crane Hassold, Senior Director of Threat Research at Agari told ZDNet.