Gmail has offered a nifty “dot” feature which will redirect all the emails to the same account in the case of users mistakenly adding a dot or a period in the recipient’s email address. The cybercriminals have been exploiting this in order to commit crimes like filing fake tax returns, availing financial benefits from government agencies, extending the trial period of certain online services, and credit fraud.
The feature’s fraud was discovered by security firm Agari and it was reported by Axios, which has been primarily employed to commit BEC (Business Email Compromise) scams. A use case of the feature- if someone wishes to send an email to [email protected] and sends it to [email protected], the email will be automatically delivered to the intended recipient of the correct username, as well as vice-versa.
Gmail makes their email addresses indistinguishable, and service providers have continued to treat each and every dot variant of the email address as a separate one, consequently, a different individual.
This vulnerability has made easier for frauds to misuse this feature. Security experts have claimed that a group of cybercriminals have exploited the Gmail feature and availed a whopping $65,000 (approximately Rs. 46,52,400) in credits from four banking institutions in the US. The reports registered 14 different trial accounts which used commercial services, had filed 13 fraudulent tax returns before filing an online tax filing service and has submitted 12 address change requests with the US postal service. This feature also misused the financial allowances like the social security benefits, disaster assistance and unemployment benefits under different identities.
Cybersecurity experts have identified a total of 56 variants of an email address which belonged to a single individual but had been differentiated with the help of a dot in the usernames for the service providers.
Crane Hassold, the Senior Director of Threat Research at Agari told ZDNet that the Gmail dot feature has only remained as one of the many Gmail features which could be used by fraudsters, like the plus sign (where [email protected] can be redirected to [email protected]), and the legacy googlemail.com domain. Scams regarding these features haven’t come out but Hassold went on to say that they are as efficient as the Gmail dot feature.