Gmail’s Dotted Email Address Variant Helps Pull Off Phishing Attacks
The Gmail feature that ignores ‘.’ the dot in an email address (which makes an email address with a dot no different as the email address without a dot) is now being taken advantage by threat actors in order to pull a very clever phishing attack. The placement of the ‘.’ in the email address is ignored by Gmail, which makes firstname.lastname@example.org, email@example.com, and firstname.lastname@example.org be treated as the same email address.
“We’ve seen multiple groups use the technique, but the article is just an example from one of those groups. In essence, this allows cybercriminals to centralize their fraudulent activity within a single Gmail account, rather than having to monitor a bunch of different accounts, increasing the efficiency of their operations,” said Crane Hassold, Agari’s Sr. Director of Threat Research.
The danger of such a feature is the fact that many of the online services these days use user’s email address as the single point of contact in order to reset passwords and recover online accounts. This already happened to a Netflix subscriber, when a hacker received the account recovery information of the Netflix subscriber, for posing as the user using a dotted email address similar to the genuine user’s email address.
“By utilizing this feature—which we will call Gmail “dot accounts”—these threat actors are able to scale their operations by opening multiple fraudulent credit card accounts, which they then use to file for fraudulent unemployment benefits, file fake tax returns, and bypass trial periods for online information providers. In one case, a scammer was able to submit twenty-two separate applications, each under a different identity, and successfully open over $65,000 in fraudulent credit cards at a single financial institution,” explained Ronnie Tokazowski, Senior Threat Researcher at Agari.
Google has not taken action to fix this ‘bug’, but rather according to Agari threat researchers, the search giant made a claim that all dotted variants of the email address are considered owned by the original email address. “Google interprets the email address I created as badguy007[at]gmail.com, stripping out the period, and the same can be said if the dot was placed in any other place in the email address. In other words, this interpretation is a feature, not a bug. This also means that b.a.d.g.u.y.007[at]gmail.com and bad.guy.007[at]gmail.com and ba.dg.uy.007[at]gmail.com all direct incoming email to the same account,” added Tokazowski.
To add to this, the legacy domain of Gmail remains active to this day, @googlemail.com. That means the email address with a @gmail.com domain is treated the same way as the similarly named email address ending in @googlemail.com. This ‘bug’ also gives an added chance for phishers to be successful in their campaign. Though clever ways to pretend to be someone else, coupled with a legitimate-sounding email, information can be extracted much easier from gullible users.
Julia Sowells635 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.