2 min read

Gmail "dots don"t matter" feature exposes Netflix users to phishing attacks

Filip TRUȚĂ

April 10, 2018

Gmail "dots don"t matter" feature exposes Netflix users to phishing attacks

If your Netflix account is registered with a Gmail address, beware of any emails from Netflix asking you to renew your payment info. This, according to a developer who came within inches of paying someone else”s Netflix bill with his credit card number.

James Fisher signed up for Netflix in 2013 using jameshfisher@gmail.com, an email address that Google considers the same as james.hfisher@gmail.com because of the infamous “dots don”t matter” feature that Google insists is a good thing for users.

A person with a similar name in a different state had used this email address to sign up for Netflix. When something went wrong with the billing, Netflix emailed the real Fisher, asking him to renew his credit card details, not knowing that someone else was behind the dotted version of the address.

As Fisher recalls, he was seconds away from renewing his credit card number – essentially supplying a valid payment for someone else”s Netflix service – when he noticed that something was amiss.

“The email is genuinely from netflix.com, so I clicked the link,” Fisher writes. “It logged me in and took me to an “Update your credit or debit card” page, which is genuinely hosted on netflix.com. No phishing here. But hang on, the “Update” page showed my declined card as **** 2745. A card number I don”t recognize. Checking my records, I”ve never seen this card number. What”s going on?”

“I finally realized that this email is to james.hfisher@gmail.com. I normally use jameshfisher@gmail.com, with no dots. You might think this email should have bounced, but instead it reached my inbox, because “dots don”t matter in Gmail addresses.”

He then demonstrates how a standard phishing scam could take advantage of this oversight between the two services. Indeed, it seems ridiculously easy to exploit and trick someone into paying for your Netflix membership.

Fisher condemns Google for keeping the “dots don”t matter” feature, even though the search giant itself once admitted that the feature could be “confusing” to users. He proposes amending the Gmail feature set but believes Google should retire the feature altogether.

Security heavyweight Bruce Schneier calls it “an example of two systems without a security vulnerability coming together to create a security vulnerability.” Indeed, neither service is to blame fully for this issue but, now that the word is out, maybe one of them will address it.

As a rule of thumb, be wary of any email asking you to renew billing information. This Gmail/Netflix mix-up is a perfect example of a phishing scam created out of thin air by exploiting legitimate functionality in disparate services. Always check that all personal information in the mail is legitimate, and never supply your credit/debit card details, or renew your password, before double checking that it is indeed necessary to make such changes.

Phishing remains one of the most popular attack vectors for bad actors, and the biggest threat to online services. Google itself conducted a study with the University of California, Berkeley revealing that phishing was the greatest threat to account-based online services in 2017.

Data compiled by experts in email analytics shows that 87.6% of root domains operated by top e-retailers in the US and EU are exposing their consumers to phishing scams.

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands
Graham CLULEY

July 23, 2021

3 min read
Homoglyph domains used in BEC scams shut down by Microsoft Homoglyph domains used in BEC scams shut down by Microsoft
Graham CLULEY

July 22, 2021

3 min read
China Sets Up New Worrying Vulnerability Disclosure Rules China Sets Up New Worrying Vulnerability Disclosure Rules
Silviu STAHIE

July 20, 2021

1 min read