Cleverly Misspelled Web Domains Behind Huge Email Theft
With some clever and subtle misspelling, two security researchers showed how easy it is for an attacker to harvest a boatload of confidential emails, including trade secrets, names, email addresses and passwords, from Fortune 500 companies.
Peter Kim and Garrett Gee from the information security think tank Godai Group were able to intercept 20 gigabytes of sensitive data by setting up "doppelganger domains" Web domain names that look the same as legitimate companies except for one tiny little detail: They are spelled incorrectly.
This method of spoofing a real website to harness and intercept traffic is also called "typosquatting ," and while it is nothing new, it can have devastating consequences when deployed against businesses rather than individual consumers.
Kim and Gee executed their proof-of-concept hack during a six-month period, and their results were shocking: They intercepted more than 120,000 individual emails (20 gigabytes of data) from 30 Fortune 500 companies, and found that 151 companies are vulnerable to such attacks, Wired reported.
Fake domain names could include a preface, such as "email," before the actual website name, or involve the change of only a period separating a subdomain name from a primary domain name, "as in the case of seibm.com as opposed to the real se.ibm.com domain that IBM uses for its division in Sweden," Wired said.
Within the 120,000 emails drawn to their fake domain names were details, including user names and passwords, for an international company that manages roadway toll systems, and the "full configuration details for the external Cisco routers for a large IT consulting firm, along with passwords for accessing the devices," Wired said. Kim and Gee also harvested invoices, contracts and credit card information from other companies.
The array of Fortune 500 companies found to be vulnerable to attack was staggering as well. It included gas and electric companies , pharmaceutical firms, chemical and computer software companies and financial firms.
"Essentially, a simple mistype of the destination domain could send anything that is sent over email to an unintended destination," the researchers wrote in their paper, "Doppelganger Domains," released Sept. 6.
"Once the attacker purchases the Doppelganger Domain, they will configure an email server to receive all email addressed to that domain, regardless of the user it was destined to," they wrote.
The Godai Group researchers included a chart that shows 15 current doppelganger domains already in use, including "Kscisco.com" for Cisco and "emailkohls.com" for Kohls. Some of the spoofed domain names, the researchers discovered, are already registered to IP addresses in China "and to domains associated with malware and phishing."
Out of the 30 doppelganger domains they set up, Wired said only one company noticed when the researchers registered the fake domain name, and only two senders out of the entire 120,000 emails indicated they were aware of the mistake.