Fraud Indicator: Dot Variant Email Aliases

INTRODUCTION AND RECOMMENDATION

On 14MAY2021, Abidemi Rufai, a pandemic unemployment scammer from Lekki, Nigeria, was arrested at JFK airport as he attempted to leave the country.  In the DOJ press release about the event we learned that he had “used variations of a single e-mail address in a manner intended to evade automatic detection by fraud systems.” 

DarkTower assesses with high probability that the use of “dot variant” Gmail aliases will be found to be related to many new account creations in a variety of online systems.  This will be especially true for accounts created related to the process of cashing out pandemic assistance benefits, which would include a variety of deposit accounts as well as cryptocurrency exchange accounts.

FINDINGS

  • Abidemi filed fraudulent unemployment claims against the states of Hawaii, Massachusetts, Montana, New York, Pennsylvania, and Wyoming.
  • Abidemi relied on the dot variant Gmail technique to make many variations of the Google account sandytangy58[@]gmail[.]com, allowing him to use many email aliases to register many accounts for benefits, but only needing to check a single Gmail account for the resulting communications.
  • A review of email addresses used to file fraudulently for unemployment reveals that this was a common practice by many additional scammers.
  • DarkTower assesses that the use of dot variant Gmail aliases may be a common method of creating multiple fraudulent accounts on a variety of online systems.
  • The term “dot variant” refers to the fact that one or more dots (“.”) may be inserted at any point in the username portion (the alias portion) of a Gmail address without altering the deliverability of messages.  Example addresses confirmed to be used by Rufai include the following:

san.dyta.ngy58[@]gmail[.]com

sa.ndy.ta.ngy58[@]gmail[.]com

san.d.y.t.an.gy58[@]gmail[.]com

  • Two other techniques— “+ extension” and “googlemail replacement” have also been used by fraudsters to allow multiple email addresses to be used for account registration while sending the mail to a single address.

INVESTIGATION

Pandemic unemployment assistance programs for all states have been heavily targeted with an unprecedented level of fraud.  As criminals attempt to manage hundreds or even thousands of synthetic or stolen identities, they have found it to be convenient to use a single catch-all email address.  There are three methods of doing so with a Gmail email address.  In an evaluation of over ten thousand fraudulent unemployment claims, by far the most common was the dot variant method.  The other two methods are called “+ extension” and “googlemail replacement.”

In dot variant email addresses, the alias portion of a Gmail address may contain one or more “.” characters.  These are ignored by Google’s email processing rules so that each email would is delivered to the userID as if it did not contain any “.” characters.  In other words, the alias gar.y.wa.rn.er becomes simplified to garywarner for email message delivery.

For + extension email addresses, a “+” character can be appended to any Gmail alias and will be ignored during processing.  This method can be used for additional filtering techniques by the recipient.  For example:  garywarner+Netflix[@]gmail[.]com and garywarner+Amazon[@]gmail[.]com would both ignore the “+” character and any portion of the email address after the “+” character.

In googlemail replacement, a single email address can be created by replacing @gmail[.]com with @googlemail[.]com.  This can also be used in conjunction with dot variant or + extension aliases.

All three methods have been observed by DarkTower in fraudulent unemployment filings; however, dot variant aliases are far more prominent than googlemail replacement or + extension email addresses.

The Rufai Criminal Complaint

In PACER (Public Access to Court Electronic Records) we find that the criminal complaint against Rufai was unsealed after his arrest on Friday.  “According to a Department of Labor Office of Inspector General’s Office analysis of ESD’s claims database, dot variants of sandytangy58[@]gmail[.]com were used to submit approximately 102 claims for ESD benefits exceeding $350,000.  The Department of Labor’s analysis also indicates the account was used to submit one or more claims to the SWAs for Hawaii, Maine, Michigan, Missouri, Montana, New York, Ohio, Pennsylvania, Wisconsin, and Wyoming.” (from the Criminal Complaint, page 10, lines 16-19.)

Figure 2: Amended Criminal Complaint against Abidemi Rufai
Figure 3 : Examples from the Criminal Complaint

In this case, the Nigeria-based telephone number +234 909-874-2695 was used in association with this email address. He received $288,825 in deposits to a single Citibank checking account in his true name.

TrueCaller recognizes that number as belonging to “Ayoola J (Ruffy Manjoe)” and associates it with the email address abidemirufai[@]aol[.]com.

The “base” account of the dot variations, sandytangy58[@]gmail[.]com, had received over 1,000 emails from ESD, as well as more than 100 email messages from the SWAs In other states.  He also was found to have received numerous email messages from “other online payment and cryptocurrency services.”  

The Gmail address is also associated with accounts on Adobe, Amazon, and RocketReach, with the latter possibly having been used to research scam targets.  He also has a Skype profile under the display name “abidemi rufai” and user name “abidemirufai”.

Additional Unemployment Filings

In a review of a partial listing of fraudulent unemployment filings for a single state, DarkTower determined that roughly 25% of the applicants used a Gmail account.  Of the Gmail addresses, roughly 20% contained a “.” within the alias of the email address.  Of these, more than a third of the email addresses had multiple dot variant occurrences on the list, ranging from two to 21 occurrences.  More than a hundred Gmail accounts had at least three dot variants of the same base email address on the list.