This week, a smart developer called James Fisher discovered how to use Gmail to attack Netflix customers in order to get free movies. The full article is available here. Now I know this has nothing really to do with email signatures, but I found it incredibly interesting none the less and wanted to share it with you.

Like most systems, Netflix recognises dots in e-mail handles, this means that olivervander and oliver.vander are two completely different username, Gmail does not. Gmail has a feature which means that it completely ignores dots within your username, which can be useful, sometimes.

Over the weekend, James received an e-mail from Netflix addressed to the account james.hfisher@gmail.com. This was correctly delivered to his jameshfisher Gmail account. The email looked real, in fact, it was genuinely from Netflix. This wasn’t a standard phishing attack. Upon closer inspection, he could see that the email was addressed to james.hfisher. Following the link from Netflix also revealed that the credit card used to sign up to Netflix initially wasn’t one owned by him.

We all get emails from Netflix and other online services which we are members of and don’t pay too much attention to them. I imagine that 90% of us would just think this was Netflix being stupid, ignore the incorrect card details and enter our credit card details. My questions and concerns are how many other online services could this happen to?

Think about it for a minute, how many online services have you signed on to? Here is the progress most online registrations go through, and how they could be phished, and where you need to pay special attention:

1. Find a gmail.com address which already exists within a service. There are many ways to do this, some like Netflix will tell you if the address is “already registered”. OK so the bad guys find an address, let’s say it’s me – olivervander.
2. On the online service now create an account using the address oliver.vander. If like Netflix there isn’t any email address verification the bad guy is golden and continues in detected. Most systems whoever require a validation. Here is your first watchpoint, don’t be tempted to authorize emails for services you’re already a member of thinking that the service has had a glitch or something. Pay close attention to where the email has been sent to.
3. Sign up for a free trial with a gift card, which is preloaded with enough for 1 months service.
4. After the first paid month the card will be declined with insufficient funds. The service will then email oliver.vander asking for new credit card. This is another watchpoint, as James Fisher did check all the details before you put your credit card number into an existing service.

I hope this helps keep you safer online. Please comment below if you have any other email tips and tricks.