The dots do matter: how to scam a Gmail user

More generally, the phishing scam here is:

  1. Hammer the Netflix signup form until you find a <span style="color: #000000;">gmail.com</span> address which is “already registered”. Let’s say you find the victim <span style="color: #000000;">jameshfisher</span>.
  2. Create a Netflix account with address <span style="color: #000000;">james.hfisher</span>.
  3. Sign up for free trial with a throwaway card number.
  4. After Netflix applies the “active card check”, cancel the card.
  5. Wait for Netflix to bill the cancelled card. Then Netflix emails <span style="color: #000000;">james.hfisher</span> asking for a valid card.
  6. Hope Jim reads the email to <span style="color: #000000;">james.hfisher</span>, assumes it’s for his Netflix account backed by <span style="color: #000000;">jameshfisher</span>, then enters his card <span style="color: #000000;">**** 1234</span>.
  7. Change the email for the Netflix account to <span style="color: #000000;">eve@gmail.com</span>, kicking Jim’s access to this account.
  8. Use Netflix free forever with Jim’s card <span style="color: #000000;">**** 1234</span>!

 

.. Actually, the blame lies with Gmail, and specifically Gmail’s “dots don’t matter” feature. The scam fundamentally relies on the Gmail user responding to an email with the assumption that it was sent to their canonical address, and not to some other address from their infinite address set.

.. Each Gmail user has one email address that they think of as theirs; all the others are mistakes.

.. Finally, Gmail users should be able to opt out of dots-don’t-matter. I wish for any mail sent to james.hfisher@gmail.com to bounce instead of reaching my inbox. The dots-don’t-matter feature should be disabled by default for any new Google accounts, and eventually retired.