Using Gmail "Dot Addresses" to Commit Fraud

In Gmail addresses, the dots don't matter. The account "bruceschneier@gmail.com" maps to the exact same address as "bruce.schneier@gmail.com" and "b.r.u.c.e.schneier@gmail.com" -- and so on. (Note: I own none of those addresses, if they are actually valid.)

This fact can be used to commit fraud:

Recently, we observed a group of BEC actors make extensive use of Gmail dot accounts to commit a large and diverse amount of fraud. Since early 2018, this group has used this fairly simple tactic to facilitate the following fraudulent activities:

  • Submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit
  • Register for 14 trial accounts with a commercial sales leads service to collect targeting data for BEC attacks
  • File 13 fraudulent tax returns with an online tax filing service
  • Submit 12 change of address requests with the US Postal Service
  • Submit 11 fraudulent Social Security benefit applications
  • Apply for unemployment benefits under nine identities in a large US state
  • Submit applications for FEMA disaster assistance under three identities

In each case, the scammers created multiple accounts on each website within a short period of time, modifying the placement of periods in the email address for each account. Each of these accounts is associated with a different stolen identity, but all email from these services are received by the same Gmail account. Thus, the group is able to centralize and organize their fraudulent activity around a small set of email accounts, thereby increasing productivity and making it easier to continue their fraudulent behavior.

This isn't a new trick. It has been previously documented as a way to trick Netflix users.

News article.

Slashdot thread.

Posted on February 6, 2019 at 10:24 AM • 29 Comments

Comments

DonFebruary 6, 2019 10:56 AM

You can also use a plus sign in the address after the username, before the @ to add a customizable code. bruce+blah@gmail.com and bruce+wellsfargo@gmail.com and bruce+wpa2@gmail.com all go to the address bruce@gmail.com and then filter into a folder based on what is after the plus sign. Infinite customizable email addresses, not even limited to how many dots you can put between letters (although you can count in binary with the dots and have hundreds of combinations, the plus code is a lot easier on the human mind).

FrankFebruary 6, 2019 11:03 AM

If I use a gmail account like 'firstnamelastname@gmail.com' and include a dot

firstnamelast.name@gmail.com and use it to create an account for say Amazon and only use'firstnamelastname@gmail.com' for gmail.com does
this not help avoid fraud when the Amazon gmail account password is different?

What's the difference when email services also allow aliases,compared to gmail DOTs? (periods)

Add or remove an email alias in Outlook.com
"If you want to use a new email address with your existing Outlook.com account, follow the instructions in this article to create an email alias. This will give you an additional email address that uses the same inbox, contact list, and account settings as your primary email address. You can choose which email address to send mail from, and you can sign in to your Outlook.com account with any of your aliases—they all use the same password."
https://support.office.com/en-us/article/add-or-remove-an-email-alias-in-outlook-com-459b1989-356d-40fa-a689-8f285b13f1f2

Fake BruceFebruary 6, 2019 11:26 AM

> (Note: I own none of those addresses, if they are actually valid.)

But now we know to register that address so we can all pretend to be Bruce!

Nick NolanFebruary 6, 2019 12:07 PM

There is difference between local-part normalization and subaddressing (using plus sign).

Anything goes local-part normalization is mistake in email standards at least in retrospect. The receiver can't make any assumptions about two local parts being the same email adress unless they match exactly. Host specified part can be case sensitive or not, ignore dots or not. Ignore characters after some specified lengths. Ignore numbers or some letters.

Subaddressing is defined well enough. Everything before + sign identifies the address, after the + sing is subadress.

Andy Lee RobinsonFebruary 6, 2019 12:10 PM

There's a special place in hell for whoever dreamed this up.
So now every mail client and web form on the planet should be modified to execute a s/\.//g on the user part of the address to ensure uniqueness for any gmail address before any further validation is performed.
Simply rejecting emails with more than 2 dots would help, but there's still a lot of combinations available using 2 dots.
Still, this attack method can be mitigated and probably eradicated by flagging for human oversight.

JordanFebruary 6, 2019 12:47 PM

Balderdash.

If they couldn't do this, they would have to... create 48 distinct accounts.

Oh, wow. That would stop them.

Being able to funnel the mail into one mailbox is a convenience for the villains, sure, but it's actually a security risk for them. It makes it easier for the businesses to find all of the affected accounts, once one is discovered.

David RamosFebruary 6, 2019 12:48 PM

Maybe the real problem here is using email addresses as identifiers. The 'spec' clearly allows Google to use dots as they do. It seems to me that assumptions were made (by everyone) about email addresses that are not true. As has been pointed out, other email services allow aliases. This particular exploit is interesting because of its ease and number of possible combinations. Aliases require an extra step.
I would hesitate to place blame solely on Google. This is an example of an exploit stemming from the complex interactions of systems that were not necessarily designed for the purpose they are being used for. Is there a way to fix this? Could it have been prevented?

Daniel JoubertFebruary 6, 2019 1:16 PM

I don't think it is a security issue or exploit on Google's side. As stated: "...thereby increasing productivity."
It just makes committing fraud easier.

dzekFebruary 6, 2019 1:49 PM

Aaaand... where is the problem? Or Gmail's fault?

Do you know that you could use free hosting with custom (free) domain and catch-all trick, making ANYTHING@mydomain.com be available in single inbox.

You're using free stuff so you're not leaving any real data to get access to such mail (Gmail sometimes requires a valid phone number for example)

even more "shady" (if you like to be suspicious about anything)

yet it's available for everyone for free

PeterFebruary 6, 2019 2:34 PM

Item 1 in "fraudulent activity" list is

Submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit

I find that hard to believe until verified.
It takes more than an email address to have a credit card application approved.

AFebruary 6, 2019 5:51 PM

Or, you know, they could just create a new gmail account for each crime, and use gmail's email forwarding feature to forward all the email to a single central email address.... They could even flag it with email+crime#andDescription@gmail.com in the forwarding address.

What am I missing here?

(required)February 6, 2019 8:16 PM

(Note: I own none of those addresses, if they are actually valid.)

Shouldn't you? Just to lock them off as possible annoyances? It would take an hour.

:)

FinderFebruary 6, 2019 9:37 PM

How is it possible that such a contrarian "convention" could be made default on a major email solution like Gmail? IGNORE the DOTS? Seriously. Who put their John Hancock on that decision? I want a name, that's ridiculous.

RealFakeNewsFebruary 6, 2019 9:44 PM

The first time I read this I couldn't see the problem.

I still can't see the problem.

The e-mail address can be, in effect, malformed so the target system where it is used (e.g. for log-in), can be fooled into thinking they are distinct addresses, while GMail treats them all as the same.

Big deal.

The real issue is how scammers managed to gain $65000 of credit using this method.

I agree that if GMail treats my.address@gmail the same as m.y.address@gmail that all systems should be configured to strip periods and everything after the + from GMail addresses to prevent duplication.

Beyond that...it's not really a problem.

WeatherFebruary 6, 2019 11:17 PM

Ha I get it, it adds one to a buffer and counter, but another counter nothing,
Maybe with a debugger there could be a Google. Com hack

JaneFebruary 7, 2019 7:41 AM

How is this a problem with the email spec or any email provider??

As others have mentioned -- it is no different from using throw-away addresses and forwarding them to a single address.

I am surprised that this feature appears to be "news" to so many posters here. This used to be the recommended practice to find out which retailers are spamming you the most! I still use a throw-away address and put the dots in different positions to create forward and spam rules.

JordanFebruary 7, 2019 11:03 AM

After a while in a company where mailing list names had words separated by dashes, underscores, or periods - sometimes mixed in one name - I've started to be fond of the idea of ignoring all punctuation.

From a human perspective, it seems very likely that fred.flintstone, fred_flintstone, and fredflintstone are all intended to refer to the same person... and that if you let them refer to different people, you're probably not doing any of them a favor.

Cindy February 7, 2019 11:46 AM

While not fraud, this explains why I repeatedly get emails, sometimes important ones involving employment applications and bank accounts, for others with similar names. They must be creating gmail addresses with periods that then resolve to an address without them, mine. Am I understanding this correctly?

I always liked the fact that I had an easy email address, but I'm thinking I should change it to something a bit more complicated. Gmail really should do something about this.

Mrs. Hygeia, Grade 1 teacher February 7, 2019 12:39 PM

Report Card

General comments

Little Google needs to work harder on playing nicely with others. Failure to abide by friendly rules such as “accept widely, emit narrowly” needlessly disturb the class.

JeremyFebruary 7, 2019 2:48 PM

Like several other commenters, I don't see how this is a security story. If I'm understanding correctly, no part of the fraud would have become impossible if Gmail worked differently.

This seems like writing about how bank robbers wear comfortable shoes or burglars use contact lenses. They are using the tech in the way it was designed to be used; they just happen to ALSO be committing crimes at the same time.

If you are running a web site where a single person signing up for multiple accounts would pose a problem, then you shouldn't be relying on email addresses to check whether two accounts belong to the same person.

John DoeFebruary 7, 2019 3:46 PM

Sounds like edge case problems to me. I use symbols extensively to make unique addresses for the same mailbox and I consider it a feature. Banning dots on the Gmail service would just force the scammers to switch services or buy a domain and use catch-all emails. By the way, email addresses with a custom domain have a lower fraud rating so this would benefit attackers. In the case of an attacker signing up multiple Netflix accounts on the same mailbox, that's on Netflix for failing to use email confirmations.

IsterbandFebruary 7, 2019 3:58 PM

I don't get it. How does this work?

Here from the blog post:
"In each case, the scammers created multiple accounts on each website within a short period of time, modifying the placement of periods in the email address for each account."

What are those "on each website"? gmail.com and gmail.com and gmail.com?

"Each of these accounts is associated with a different stolen identity, but all email from these services are received by the same Gmail account."
What does that mean? What is it to be "received" by the same Gmail account?

"Thus, the group is able to centralize and organize their fraudulent activity around a small set of email accounts, thereby increasing productivity and making it easier to continue their fraudulent behavior."
How does a small set of email (gmail?) accounts increase productivity? How does a gigantic set of email accounts decrease productivity?

I don't understand this at all. Who does what with which accounts and why? And what does the different way of typing an gmail account has to do with it? And the short period of time? I think the explanation severe lack clarity. Who is the target and where lies the fraud? Can a gmail user become a victim or are those "each websites" the victims?

RombobjörnFebruary 7, 2019 4:43 PM

Everyone who believed that two different email addresses can never belong to the same person, please raise a hand.

AdiFebruary 7, 2019 6:16 PM

with a dedicated domain hosted with Google you don't even need dots or plus-aliased addresses. Gmail has an improved version of this for GSuite domain users: wildcard mailboxes.

You can designate one of the domain accounts to act as a catch-all and you can then have single-purpose-use-only addresses, just like the plus-aliased ones but without giving any clue that the address is a dynamic alias.

this is all pretty much according to the SMTP standard, RFC 5321, section 2.3.11 which says:


As used in this specification, an "address" is a character string
that identifies a user to whom mail will be sent or a location into
which mail will be deposited. The term "mailbox" refers to that
depository. The two terms are typically used interchangeably unless
the distinction between the location in which mail is placed (the
mailbox) and a reference to it (the address) is important. An
address normally consists of user and domain specifications. The
standard mailbox naming convention is defined to be
"local-part@domain"; contemporary usage permits a much broader set of
applications than simple "user names". Consequently, and due to a
long history of problems when intermediate hosts have attempted to
optimize transport by modifying them, the local-part MUST be
interpreted and assigned semantics only by the host specified in the
domain part of the address.

Marc TFebruary 7, 2019 7:03 PM

@Cindy: No, those people (whose misdirected email you're receiving) made some other mistake, or - more likely - they dictated their email address to somebody over the phone, and _they_ screwed up. This happens to me frequently - there appear to be about 20 people in the US with my first and last names, and at least two of them keep signing up for stuff with my address instead of their own.

Assuming that your name is Cindy Jones, and that your address is cindy.jones@gmail.com:
- If I send mail to cindyjones@gmail.com, or c.i.n.dy.jones@gmail.com, or any other variation of your address that just adds or subtracts dots, it will be delivered to your address.
- If you, or I, or anybody else, tries to sign up for a new GMail account as "cindyjones", "c.i.n.d.y.jones", etc. - they will be told that that account is already taken.

However, if some other Cindy Jones (let's call her Cindy Lou Jones) has the address cindyljones@gmail.com BUT she forgets to type the "l" when she's filling out the leasing form, her mail will be delivered to you. Machines can't read minds, after all (yet.)

WaitAMinuteFebruary 7, 2019 8:39 PM

In most of the cases mentioned, the gmail "quirk" just makes fraud easier for the perps. The REAL problem - and responsibility - lies with those getting defrauded (eg. bank issuing fraudulent credit, USPS address changes, SSA benefits, etc.) is that these organizations clearly don't have appropriate identity vetting policies and procedures in place.

Regarding the Netflix fraud in the linked article, the REAL problem there is that in order for it to work, someone has to click on a link in an email message sent to them. DON'T EVER CLINK ON LINKS IN EMAIL MESSAGES! Esp. for email messages beckoning impending doom.

Remember, there is no such thing as "Identity Theft" - its just fraud.

JonahFebruary 8, 2019 9:28 AM

Bruce, Just wanted to leave a general comment. I've watched numerous interviews and talks you've given. I love your philosophies on trust and security. I don't know if you'll read this or see this. But I really believe you could try to reach out to Joe Rogan and do a podcast with him. Seriously, it would be dynamite. He just had Jack Dorsey on recently talking about twitter, bitcoin, game theory etc. and perhaps you could add some counterpoint to that discussion. I'm taking it on as a personal campaign to try to make this happen. Maybe you don't want to and if that's the case than please let me know. I just think your thoughts are extremely valuable and Joe's podcast is the perfect platform for more people to here a free discussion about these things.

Respectfully,

Jonah(just a random guy who had an idea that Bruce Schneier could do a podcast with Joe Rogan, I'm not affiliated with Joe, or anybody or any company related to his podcast.)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.