Security Researchers Stole 120,000 e-mails and 20 GB of Corporate Data From Fortune 500 Companies via Typosquatting.
In a document, a spelling mistake can be embarrassing. On the Web and with e-mail, it can be the difference between going to the site you want and a phishing scam, or sending an email somewhere you may not intend to. Typosquatting remains a widespread problem on the Web, typified recently by a scam targeting YouTube users and a new report from Godai Group.
At M86 Security, researchers found a number of typosquatted domains playing off the popularity of YouTube that point to a phishing scam, including URLs like YoutTube.com. Traffic from that site is redirected to the online survey site videorewardsonline.com, which according to Alexa.com was only created Aug. 24 but has had a “rapid spike in traffic,” according to M86’s Rodel Mendrez.
“We believe this spike was due to users being redirected by typosquatted domain names,” he wrote in a blog post.
The survey site uses IP address geolocation to create localized versions of itself, he added.
“At first glance, the survey website looks rather harmless,” he continued. “However, in order to participate and “win” prizes it requires entering your email and mobile number. At this point you may feel that this is starting to look somewhat dodgy. However, the worst part comes after you enter your mobile number. The screenshot below shows that main purpose of the “survey” is to convince people to subscribe to an auto-renewing SMS subscription service which will be charged to the user’s phone bill.”
In a research project, Peter Kim and Garrett Gee of Godai Group – a security consultancy – highlighted an example of typosquatting that relies on mistakes of omission rather than misspelling. The two set up “doppelganger domains” that are identical to legitimate fully-qualified domain names for Fortune 500 companies but that were missing the dot between the host/subdomain and domain. Over the course of six months, they claimed in a paper to have collected more than 120,000 individual emails (20 GB of data) that included trade secrets, business invoices and other information.
“The first attack vector is completely passive,” the researchers noted in their report, available here. “Once the attacker purchases the Doppelganger Domain, they will configure an email server to receive all email addressed to that domain, regardless of the user it was destined to. This type of configuration is also known as a catch-all email account. As email is high-volume, primary communication mechanism for many corporations, a small percentage of those emails will be sent to the wrong destination because of user error (a typo by the email’s sender). The attacker relies on this fact and will start collecting emails from both internal and external users.”
The second attack vector involves social engineering and is likely to be only used on specific individuals. As a Doppelganger Domain can be very similar to the legitimate email domain, an attacker will impersonate a person and attempt to obtain sensitive information via social engineering.”
In their research, the two found that 30 percent, or 151 of the Fortune 500 companies were susceptible to having their emails stolen by these kinds of schemes. As mitigation, Kim and Gee suggested among other things that companies should purchase doppelganger domains and configure them on the external DNS to not resolve anywhere. They also recommend companies consider filing a Uniform Domain Dispute Resolution Policy once attackers are observed using a doppelganger domain against them.
“After reviewing the WHOIS information from all Fortune 500 companies, we noticed some of the largest companies were already registered to locations in China and to domains associated with malware and phishing,” the researchers wrote.
Among the companies they reported being targeted were Cisco (kscisco.com), Dell (chndell.com) and Yahoo (nayahoo.com).
“While it is unknown if these domains are used in a malicious fashion, it is apparent that some targeting is happening here,” the researchers wrote. “If in six months we were able to collect 20 gigabytes of data, imagine what a malicious attacker could gain.”
Kim and Gee also suggest that organizations communicate these types of “domain squatting” attack vectors to internal users, customers, and business partners. “The more awareness they have on social engineering attacks, the less susceptible they will be,” they advised.