Gmail offers a nifty “dot” feature which redirects all emails to the same account in case users have mistakenly added a dot or a period in the recipient's email address. But cybercriminals are exploiting the same feature to commit crimes such as filing fake tax returns, availing financial benefits from government agencies, extending the trial period of online services, and credit fraud among others. As per a report, the bad actors have been exploiting the feature to commit a diverse array of scams since early 2018.
The Gmail dot feature fraud, that was discovered by security firm Agari and was first reported by Axios, was primarily employed to commit BEC (Business Email Compromise) scams. So, how did this happen? The Gmail dot feature ensures that emails intended for a particular recipient reaches them if the sender accidentally adds (or forgets) a dot or period in the username. For example, if someone intends to send an email to firstname.lastname@example.org mistakenly sends it to email@example.com, the email will be delivered to the intended recipient who owns the correct username, or vice versa - if someone intends to send an email to firstname.lastname@example.org, and mistakenly sends it to email@example.com.
Since Gmail is the only major service provider to follow this practice of making these email addresses indistinguishable, service providers continue to treat each dot variant of the email address as a separate one, and indirectly, a different individual. While many of us have used this Gmail 'feature' to register 'different' emails to the same service provider, such as Netflix, it appears
The dot variants of a username used to file fake tax returns
Photo Credit: Agari
This vulnerability makes the process of scaling up a fraud much easier. As per the findings of security experts, a group of cybercriminals exploited the Gmail dot feature to avail around $65,000 (roughly Rs. 46,52,400) in credits from four banking institutions in the US. Moreover, they reportedly registered 14 different trial accounts with commercial services, filed 13 fraudulent tax returns before an online tax filing service and submitted 12 address change requests with the US postal service. Moreover, the feature was also misused to avail financial allowances such as social security benefits as well as disaster assistance and unemployment benefits under different identities.
Cybersecurity experts identified a total of 56 variants of an email address belonging to a single individual but differentiated by the placement of a dot in the username to bamboozle the service providers. And since all the emails intended for a supposedly different user were delivered to the same account, thanks to the Gmail dot feature, it became very easy for the bad actors to manage their fraudulent activities.
Separately, Crane Hassold, Senior Director of Threat Research at Agari told ZDNet that the Gmail dot feature is only one of several Gmail features that can be used by scammers, such as the plus sign (where firstname.lastname@example.org redirects emails to email@example.com), and the legacy googlemail.com domain. While exploits on these features haven't yet been spotted in the wild, Hassold says they are just as efficient as the Gmail dot feature.