- A number of online groups are using a very old Gmail-specific feature to scam users.
- The “dot account” feature found in Gmail allows scammers to disguise themselves as legitimate users to file for benefits, tax returns and more.
- Google has not responded to the issue so far and changes to how Gmail address work have not been planned so far.
A number of cybercriminal groups are taking advantage of an exploit in Gmail to file fake tax returns, unemployment benefits and more. The email provider’s “dot account” feature essentially ignores the placements of the dots in email addresses. The trick has been used for many years by internet users to create trial accounts without making new Gmail ids.
According to a report by Agari, security researchers identified a scammer group that took advantage of the dot accounts feature to trick Netflix users into adding card details. Websites treat emails with different dot placements as unique addresses which creates the issue. These kinds of scams can only affect Gmail users as other email providers do not allow the same name to be used with different dot placements.
Crane Hassold, who is the Senior Director of Threat Research at Agari revealed that a number of groups have been using the technique and “the scammers created multiple accounts on each website within a short period of time, modifying the placement of periods in the email address for each account. Each of these accounts is associated with a different stolen identity, but all email from these services are received by the same Gmail account. “
Over $65,000 in fraudulent credit was approved because of the recent scams, and a number of fake tax returns and benefit claims have been made. It is not just the “dot accounts” technique that scammers can use. The “googlemail.com” domain is also being used to redirect emails to their respective Gmail accounts. However, there have been no documented instances of scammers using the method so far.