Schneier on Security


In Gmail addresses, the dots don't matter. The account "bruceschneier@gmail.com" maps to the exact same address as "bruce.schneier@gmail.com" and "b.r.u.c.e.schneier@gmail.com" -- and so on. (Note: I own none of those addresses, if they are actually valid.)

This fact can be used to commit fraud:

Recently, we observed a group of BEC actors make extensive use of Gmail dot accounts to commit a large and diverse amount of fraud. Since early 2018, this group has used this fairly simple tactic to facilitate the following fraudulent activities:

  • Submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit
  • Register for 14 trial accounts with a commercial sales leads service to collect targeting data for BEC attacks
  • File 13 fraudulent tax returns with an online tax filing service
  • Submit 12 change of address requests with the US Postal Service
  • Submit 11 fraudulent Social Security benefit applications
  • Apply for unemployment benefits under nine identities in a large US state
  • Submit applications for FEMA disaster assistance under three identities

In each case, the scammers created multiple accounts on each website within a short period of time, modifying the placement of periods in the email address for each account. Each of these accounts is associated with a different stolen identity, but all email from these services are received by the same Gmail account. Thus, the group is able to centralize and organize their fraudulent activity around a small set of email accounts, thereby increasing productivity and making it easier to continue their fraudulent behavior.

This isn't a new trick. It has been previously documented as a way to trick Netflix users.

News article.

Slashdot thread.

Posted on February 6, 2019 at 10:24 AM • 4 Comments