In present times, cybercriminals are taking advantage of Gmail Dot feature to get financial benefits. Dot feature is one of the most important features that redirect all emails to the same account in case users have mistakenly added a dot or a period in the recipient’s email address. On the other hand, cybercriminals are exploiting the same feature for committing various crimes in various forms such as credit fraud, availing financial benefits from government agencies, filing fake tax returns, extending the trial period of online services. The Gmail Dot Feature was first discovered by the security firm Agari and reported by Axios.
The special thing about this feature is that those emails which are intended for a particular recipient reach to people if the sender accidentally adds a dot in the username. For example, if someone intends to send an email to “email@example.com” but mistakenly sends it to “firstname.lastname@example.org” then the email will be automatically delivered to the intended recipient. Till now, Gmail is the largest service provider that is following this practice. We all have used Gmail feature to register “different” emails to the service provider such as Netflix. Gmail also has two other features that scammers could potentially similarly abuse in the future. The first is plus sign and the second is the legacy @googlemail.com domain.
Also Read : Google to Shut Hangout by 2020!
As the research conducted by security experts, it is revealed that a group of cybercriminals exploited the Gmail dot feature to avail around $65,000 in credits from four banking institutions in the US. They reportedly registered 14 different trial accounts with commercial services, filed 13 fraudulent tax returns before an online tax filing service and submitted 12 address change requests with the US postal service. The feature was misused to avail financial allowances such as social security benefits, disaster assistance, and unemployment benefits under different identities. Crane Hassold, Senior Director of Threat Research said that this Gmail dot feature is the only single feature that was used by scammers to redirect emails in the present era of technology. He further stated that these features haven’t yet been spotted in the wild.
On the other hand, this feature can be problematic to mobile app development companies that support the creation of new user accounts on their websites. Gmail feature itself did not enable any kind of scams but it has just made it easier for the BEC attackers to monitor and receive communications across the multiple accounts just by using a single Gmail address. Crane Hassold also said in press conference that organizations can either treat dots the way that Google treats dots, or they can monitor for rapid-account creation from email addresses that include multiple dots to flag potentially suspicious behavior.