BEC Actors Exploit Gmail 'Dot Accounts'

Agari’s Cyber Intelligence Division regularly engages with business email compromise threat actors using active defense techniques. Recently it observed several scammers taking advantage of a feature Google built into Gmail addresses.

Ronnie Tokazowski, a senior threat researcher with Foster City, Calif.-based Agari, recently published research about a Google “dot” exploit that enabled criminal email gangs to rapidly create fraudulent accounts by managing them from a single email address.

“By utilizing this feature—which we will call Gmail ‘dot accounts’—these threat actors are able to scale their operations by opening multiple fraudulent credit card accounts, which they then use to file for fraudulent unemployment benefits, file fake tax returns, and bypass trial periods for online information providers,” Tokazowski said.

All of those Gmail accounts were on a single website that then direct all communication to a single Gmail account. This removes the need to create and monitor a new email account for every account fraudsters create on a website, ultimately making crimes faster and more efficient.

In BEC exploits the invader obtains access to a corporate email account and spoofs the organization’s identity to scam the company or its employees, clients or associates.

Tokazowski noted in his research. In one case, a scammer was able to submit twenty-two separate applications, each under a different identity, and successfully open over $65,000 in fraudulent credit cards at a single financial institution.

This group also:

• Registered for 14 trial accounts with a commercial sales leads service to collect targeting data for BEC attacks.
• Filed 13 fraudulent tax returns with an online tax filing service.
• Submitted 12 change of address requests with the U.S. Postal Service; 11 fraudulent Social Security benefit applications; and requests for FEMA disaster assistance under three identities.
• Applications for unemployment benefits under nine identities in a large U.S. state.

In total, the group used 56 different dot variants of a single Gmail email address to register accounts on websites used for fraudulent purposes.

In each case, the scammers created multiple accounts on each website within a short period of time, modifying the placement of periods in the email address for each account. Each of these accounts was associated with a different stolen identity, but all email from these services were received by the same Gmail account.

Tokazowski explained how they did it: “Let’s assume I create a Gmail account with the email address bad.guy007[at]gmail.com. Visually, it looks like the username ‘bad.guy007′ is separated by a period. According to Google, however, ‘you own all dotted versions of your address.’ This means that Google interprets the email address I created as badguy007[at]gmail.com, stripping out the period, and the same can be said if the dot was placed in any other place in the email address.” In other words, Tokazowski explained this interpretation is a feature, not a bug. “This also means that b.a.d.g.u.y.007[at]gmail.com and bad.guy.007[at]gmail.com and ba.dg.uy.007[at]gmail.com all direct incoming email to the same account.”

Agari pointed out warnings about the dangers associated with this feature were previously published by other researchers. While all dot variants of a Gmail account direct all email to the same inbox, a vast majority of the rest of the internet treats each variant as a distinct email address, associated with an exclusive account and identity. “For example, if I sign up for a Netflix account using the email address badguy007[at]gmail.com and then again with b.adg.uy007[at]gmail.com, Netflix—like most other online services—would think that these are two different accounts linked to two different people. This is where, and how, cybercriminals are able to take advantage,” Tokazowski wrote.

The Agari threat researcher observed, “To make matters worse, the ‘features’ of Gmail are not contained to simply ignoring periods.” Email accounts ending in @googlemail.com are also routed to the same inbox as those that end in @gmail.com. Thus, emails sent to badguy007[at]gmail.com and badguy007[at]googlemail.com all end up in the same inbox.” Tokazowski added, while they have not yet observed scammers using the googlemail.com domain to mass-create online accounts that all point to the same mailbox, the potential for exploiting this feature for malicious purposes remains the same.

Agari suggested searching for instances of excessive dots in newly created accounts is one way online services can identify potential instances of abusive activity, where threat actors use variants of Gmail dot accounts for fraudulent or nefarious activity.