Typosquatting is no longer a risk to be delegated entirely to brand managers in the legal and marketing departments.
Domain name typosquatting is a decade-old headache for marketing and legal departments, but evidence suggests that it is becoming a risk that also needs to be on the CSO's radar. Recent research shows that the exploitation of confusingly similar Internet domain names is not just a threat to brand equity and consumer trust; it’s now in use by those seeking to steal confidential corporate data.
Typosquatting has been around since the 1990s. It is still mostly abused by opportunists who capitalize on misspellings of trademarks to drive traffic to websites displaying pay-per-click advertising units. Because domain names are relatively cheap to register -- most times less than $10 annually -- a close typo of a highly visited online brand can prove to be extremely lucrative.
While that practice is still common, typo domains have in recent years been monetized using methods potentially much more damaging to consumers. Rather than simply placing pay-per-click ads on squatted domains, typosquatters are now copying the look-and-feel of websites such as YouTube, Google, Facebook and Twitter to trick surfers -- if they don't read the fine print -- into signing up for potentially expensive services with the promise of iPads or iPhones as prizes. This is phishing with a twist: the intent is to steal just a little money from you at a time, rather than nail you completely. As the Anti-Phishing Working Group outlined in its phishing report earlier this year, fewer than one in 10 attempted phishing attacks used typosquatted domain names. This leads to the inevitable conclusion that typosquatting is not tightly linked to phishing. What then, are criminals doing with typos online?
Research published in August by the security company Godai reveals that corporate secrets are now at risk due to passive typosquatting.
Godai set out to prove that it’s possible to obtain confidential data via email, rather than the Web, by passively squatting typographic errors in fully qualified domain names. Many international organizations use a third-level descriptor in the domain names and emails they use to address their users by geographical location or company department. An Australian employee of Apple, for example, may have an email address firstname.lastname@example.org. Therefore, if an attacker owned the domain name ausapple.com, he would be able to set up a catch-all email account to passively intercept all email messages that were accidentally sent to an “ausapple.com” account rather than the intended “aus.apple.com” recipient.
Over a period of six months, Godai researchers Garrett Gee and Peter Kim managed to accumulate 20 gigabytes of data from 120,000 emails sent to mistyped email addresses, simply by experimentally typosquatting 30 domains. The data represented a treasure trove of information ranging from trade secrets and invoices to personal employee information and login credentials. This is the kind of data companies and governments spend millions on protecting with firewalls, VPN networks and all kinds of security protocols.
Kim and Gee further hypothesized that the method could be escalated to a full-blown "Man-in-the-Mailbox" attack, in which both sides of an email communication are spoofed. By typosquatting sub-domains of two large companies which are known to have a business relationship, and auto-forwarding any intercepted email to the intended recipient, the attacker could capture an increased amount of data as both sides unwittingly continue to reply to the mistyped addresses.
Godai estimates that 30% of Fortune 500 companies are vulnerable to these kinds of attacks. The Godai report highlights several large US-based technology companies that appear to have already been typosquatted by individuals based in China.
There are almost no barriers to setting up such typosquatting attacks; they cost very little, and scant technical expertise is needed. And there is very little active work required: just register the typo domain, setup email and sit back and harvest the crop of confidential or sensitive information. In the past decade, typosquatters focused on harnessing web traffic from users who forgot to insert a “.” between www and the domain name (e.g., typing in wwwredcross.org instead of www.redcross.org). Today’s attackers are quarrying a vastly richer mine -- email.
As an organization at risk, what should you do? Blocking DNS traffic destined for typo domains can prevent sensitive data leaving the network, but this would not prevent emails sent by third parties -- which may also contain private information – from being intercepted. However, some of the same tools and services used by legal and marketing departments to monitor domain name registrations for potential trademark infringements can easily be turned to tackling the potentially more serious problem of data leakage.
Preemptive registrations of likely sub-domain typos can also make an effective defense. This can seem like a wasteful exercise and is a frequent cause of headaches among brand managers, but the cost is relatively low compared to the legal fees associated with cybersquatting arbitration or litigation after a domain has already been compromised by a typo. Defensive domain name registrations are also far cheaper than cleaning up after the loss of a trade secret or a breach of security caused by a password disappearing in an email.
Typosquatting is no longer a risk to be delegated entirely to brand managers in the legal and marketing departments. This new attack stream using typos is now squarely in the CSO’s bailiwick. After all, a passive attack against internal assets can be just as effective as an actual network intrusion, with the exception that it is unlikely to set off any alerts on the security dashboard. CSO’s need to add robust measures against typosquatting, and not depend solely on their legal and marketing departments to fend off this threat.