Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Research Project Shows How Typos and Misspelled Domains Lead to Massive Data Loss

Security Researchers Stole 120,000 e-mails and 20 GB of Corporate Data From Fortune 500 Companies via Typosquatting.

Security Researchers Stole 120,000 e-mails and 20 GB of Corporate Data From Fortune 500 Companies via Typosquatting.

In a document, a spelling mistake can be embarrassing. On the Web and with e-mail, it can be the difference between going to the site you want and a phishing scam, or sending an email somewhere you may not intend to. Typosquatting remains a widespread problem on the Web, typified recently by a scam targeting YouTube users and a new report from Godai Group.

Typo Squatting AttacksAt M86 Security, researchers found a number of typosquatted domains playing off the popularity of YouTube that point to a phishing scam, including URLs like YoutTube.com. Traffic from that site is redirected to the online survey site videorewardsonline.com, which according to Alexa.com was only created Aug. 24 but has had a “rapid spike in traffic,” according to M86’s Rodel Mendrez.

“We believe this spike was due to users being redirected by typosquatted domain names,” he wrote in a blog post.

The survey site uses IP address geolocation to create localized versions of itself, he added.

“At first glance, the survey website looks rather harmless,” he continued. “However, in order to participate and “win” prizes it requires entering your email and mobile number. At this point you may feel that this is starting to look somewhat dodgy. However, the worst part comes after you enter your mobile number. The screenshot below shows that main purpose of the “survey” is to convince people to subscribe to an auto-renewing SMS subscription service which will be charged to the user’s phone bill.”

In a research project, Peter Kim and Garrett Gee of Godai Group – a security consultancy – highlighted an example of typosquatting that relies on mistakes of omission rather than misspelling. The two set up “doppelganger domains” that are identical to legitimate fully-qualified domain names for Fortune 500 companies but that were missing the dot between the host/subdomain and domain. Over the course of six months, they claimed in a paper to have collected more than 120,000 individual emails (20 GB of data) that included trade secrets, business invoices and other information.

“The first attack vector is completely passive,” the researchers noted in their report, available here. “Once the attacker purchases the Doppelganger Domain, they will configure an email server to receive all email addressed to that domain, regardless of the user it was destined to. This type of configuration is also known as a catch-all email account. As email is high-volume, primary communication mechanism for many corporations, a small percentage of those emails will be sent to the wrong destination because of user error (a typo by the email’s sender). The attacker relies on this fact and will start collecting emails from both internal and external users.”

The second attack vector involves social engineering and is likely to be only used on specific individuals. As a Doppelganger Domain can be very similar to the legitimate email domain, an attacker will impersonate a person and attempt to obtain sensitive information via social engineering.”

Advertisement. Scroll to continue reading.

In their research, the two found that 30 percent, or 151 of the Fortune 500 companies were susceptible to having their emails stolen by these kinds of schemes. As mitigation, Kim and Gee suggested among other things that companies should purchase doppelganger domains and configure them on the external DNS to not resolve anywhere. They also recommend companies consider filing a Uniform Domain Dispute Resolution Policy once attackers are observed using a doppelganger domain against them.

“After reviewing the WHOIS information from all Fortune 500 companies, we noticed some of the largest companies were already registered to locations in China and to domains associated with malware and phishing,” the researchers wrote.

Among the companies they reported being targeted were Cisco (kscisco.com), Dell (chndell.com) and Yahoo (nayahoo.com).

“While it is unknown if these domains are used in a malicious fashion, it is apparent that some targeting is happening here,” the researchers wrote. “If in six months we were able to collect 20 gigabytes of data, imagine what a malicious attacker could gain.”

Kim and Gee also suggest that organizations communicate these types of “domain squatting” attack vectors to internal users, customers, and business partners. “The more awareness they have on social engineering attacks, the less susceptible they will be,” they advised.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...