Dots don’t matter is a feature Google has put on Gmail, meaning
If someone accidentally adds dots to your address when emailing you, you’ll still get that email. For example, if your email is [email protected], you own all dotted versions of your address:
The intention of this is good but it also opens a door for a phishing scam. Here is an example.
James Hfisher received an email from Netflix asking him to update his payment details.
Since the email is genuinely from Netflix, he clicked the link. It logged him in and directed him to an “Update your credit or debit card” page, which again is genuinely hosted on Netflix. No phishing spotted so far.
But then, he found that he doesn’t recognize the credit card number shown on the Update page, never seen that number and certainly never used one. What’s going on?
James finally realized that the email was sent to [email protected] with a dot in it while the one he uses doesn’t. The email was supposed to be bounced but instead, it ended up in James’ inbox, thanks to Gmail’s dots don’t matter feature.
Here is how this runs down, concluded by James eventually.
- Hammer the Netflix signup form until you find an
gmail.comaddress which is “already registered”. Let’s say you find the victim,
- Create a Netflix account with address,
- Sign up for a free trial with a throwaway card number.
- After Netflix applies the “active card check”, cancel the card.
- Wait for Netflix to bill the canceled card. Then Netflix emails
james.hfisherfor a valid card.
- Hope Jim reads the email to
james.hfisher, assumes it’s for his Netflix account backed by
jameshfisher, then enters his card,
- Change the email for the Netflix account to
[email protected], kicking Jim’s access to this account.
- Use Netflix free forever with Jim’s card
So, dots do matter in some cases.
/via James Hfisher/