NEW DELHI: The cyber criminals are getting smarter day by day and are coming up with new ideas to trick users. This time they have used the nifty dot feature of Gmail. The email service from Google has a dot feature which sends all the emails to the same account in case users mistakenly added any dot to the email address.
Google does not recognise the dot in email ids. For instance, Google will read Gadgets.now@ gmail.com same as [email protected] and [email protected]. Users use the dot in order to register for free trial accounts on online servers but Google read all of them as the same. Now as per a report, taking advantage of the same, some of the cybercriminals are using this feature for various online frauds.
The security firm Agari found the Gmail dot feature fraud. The Gmail dot feature makes sure that the email directed towards a particular user reaches their inbox despite the existence of an extra dot. Recently, it was reported that a scammer group found out about the feature and they managed to trick Netflix account users. The scammers managed to get hold of the user's card details using the dotted Gmail addresses. This trick worked because of the dotted Gmail feature and also because website like Netflix, eBay, Amazon and other government portals treat dot as a symbol and recognise the same email as different.
The report by Agari saw one group which used 56 dotted variations of a Gmail address to commit large amount of fraud. ince early 2018, this group has used this fairly simple tactic to facilitate the following fraudulent activities:
- Submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit

- Register for 14 trial accounts with a commercial sales leads service to collect targeting data for BEC attacks

- File 13 fraudulent tax returns with an online tax filing service

- Submit 12 change of address requests with the US Postal Service

- Submit 11 fraudulent Social Security benefit applications

- Apply for unemployment benefits under nine identities in a large US state

- Submit applications for FEMA disaster assistance under three identities

The report adds, "In each case, the scammers created multiple accounts on each website within a short period of time, modifying the placement of periods in the email address for each account. Each of these accounts is associated with a different stolen identity, but all email from these services are received by the same Gmail account. Thus, the group is able to centralize and organize their fraudulent activity around a small set of email accounts, thereby increasing productivity and making it easier to continue their fraudulent behavior."

Source: gadgetsnow.com