In Gmail addresses, the dots don’t matter. The account “bruceschneier@gmail.com” maps to the exact same address as “bruce.schneier@gmail.com” and “b.r.u.c.e.schneier@gmail.com” — and so on. (Note: I own none of those addresses, if they are actually valid.)
This fact can be used to commit fraud:

Recently, we observed a group of BEC actors make extensive use of Gmail dot accounts to commit a large and diverse amount of fraud. Since early 2018, this group has used this fairly simple tactic to facilitate the following fraudulent activities:
Submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit
Register for 14 trial accounts with a commercial sales leads service to collect targeting data for BEC attacks
File 13 fraudulent tax returns with an online tax filing service
Submit 12 change of address requests with the US Postal Service
Submit 11 fraudulent Social Security benefit applications
Apply for unemployment benefits under nine identities in a large US state
Submit applications for FEMA disaster assistance under three identities
In each case, the scammers created multiple accounts on each website within a short period of time, modifying the placement of periods in the email address for each account. Each of these accounts is associated with a different stolen identity, but all email from these services are received by the same Gmail account. Thus, the group is able to centralize and organize their fraudulent activity around a small set of email accounts, thereby increasing productivity and making it easier to continue their fraudulent behavior.

This isn’t a new trick. It has been previously documented as a way to trick Netflix users.
News article.
Slashdot thread.
Tags: Gmail, credit cards, e-mail, fraud, scams

Go to Source

Author: Bruce Schneier

Comments are closed.