Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Research Project Shows How Typos and Misspelled Domains Lead to Massive Data Loss

Security Researchers Stole 120,000 e-mails and 20 GB of Corporate Data From Fortune 500 Companies via Typosquatting.

Security Researchers Stole 120,000 e-mails and 20 GB of Corporate Data From Fortune 500 Companies via Typosquatting.

In a document, a spelling mistake can be embarrassing. On the Web and with e-mail, it can be the difference between going to the site you want and a phishing scam, or sending an email somewhere you may not intend to. Typosquatting remains a widespread problem on the Web, typified recently by a scam targeting YouTube users and a new report from Godai Group.

Typo Squatting AttacksAt M86 Security, researchers found a number of typosquatted domains playing off the popularity of YouTube that point to a phishing scam, including URLs like Traffic from that site is redirected to the online survey site, which according to was only created Aug. 24 but has had a “rapid spike in traffic,” according to M86’s Rodel Mendrez.

“We believe this spike was due to users being redirected by typosquatted domain names,” he wrote in a blog post.

The survey site uses IP address geolocation to create localized versions of itself, he added.

“At first glance, the survey website looks rather harmless,” he continued. “However, in order to participate and “win” prizes it requires entering your email and mobile number. At this point you may feel that this is starting to look somewhat dodgy. However, the worst part comes after you enter your mobile number. The screenshot below shows that main purpose of the “survey” is to convince people to subscribe to an auto-renewing SMS subscription service which will be charged to the user’s phone bill.”

In a research project, Peter Kim and Garrett Gee of Godai Group – a security consultancy – highlighted an example of typosquatting that relies on mistakes of omission rather than misspelling. The two set up “doppelganger domains” that are identical to legitimate fully-qualified domain names for Fortune 500 companies but that were missing the dot between the host/subdomain and domain. Over the course of six months, they claimed in a paper to have collected more than 120,000 individual emails (20 GB of data) that included trade secrets, business invoices and other information.

“The first attack vector is completely passive,” the researchers noted in their report, available here. “Once the attacker purchases the Doppelganger Domain, they will configure an email server to receive all email addressed to that domain, regardless of the user it was destined to. This type of configuration is also known as a catch-all email account. As email is high-volume, primary communication mechanism for many corporations, a small percentage of those emails will be sent to the wrong destination because of user error (a typo by the email’s sender). The attacker relies on this fact and will start collecting emails from both internal and external users.”

The second attack vector involves social engineering and is likely to be only used on specific individuals. As a Doppelganger Domain can be very similar to the legitimate email domain, an attacker will impersonate a person and attempt to obtain sensitive information via social engineering.”

In their research, the two found that 30 percent, or 151 of the Fortune 500 companies were susceptible to having their emails stolen by these kinds of schemes. As mitigation, Kim and Gee suggested among other things that companies should purchase doppelganger domains and configure them on the external DNS to not resolve anywhere. They also recommend companies consider filing a Uniform Domain Dispute Resolution Policy once attackers are observed using a doppelganger domain against them.

“After reviewing the WHOIS information from all Fortune 500 companies, we noticed some of the largest companies were already registered to locations in China and to domains associated with malware and phishing,” the researchers wrote.

Among the companies they reported being targeted were Cisco (, Dell ( and Yahoo (

“While it is unknown if these domains are used in a malicious fashion, it is apparent that some targeting is happening here,” the researchers wrote. “If in six months we were able to collect 20 gigabytes of data, imagine what a malicious attacker could gain.”

Kim and Gee also suggest that organizations communicate these types of “domain squatting” attack vectors to internal users, customers, and business partners. “The more awareness they have on social engineering attacks, the less susceptible they will be,” they advised.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Cybersecurity Funding

CommandK announced that it has raised $3 million in a seed funding round for a solution designed to help organizations secure sensitive data.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...