September 10, 2011
Over 100,000 Emails Lost To Doppelganger Domains
Typo-squatting or doppelganger domains (websites that are essentially misspelled versions of a legitimate domain name) could be used to gather information such as industry secrets and user names and passwords, an information securities firm reported Friday.
The research was conducted by the Godai Group, who had registered doppelganger domains for Fortune 500 companies. Over a six-month period, they received over 120,000 individual emails and a total of 20GB of data through those domains, which featured either misspellings or some type of keystroke omission.
Among the information they received in those emails, John Leyden of the Register reported, were "trade secrets, business invoices, personal information of employees, network diagrams, usernames and passwords."
The information collected during the experiment had been deleted, Leyden added.
In a statement posted to their official website, the Godai Group noted that 151 members of the Fortune 500 (approximately 30% of the list) were found to be susceptible to these doppelganger domains. Large corporations which receive high volumes of email are more likely to experience data leakage through misdirected emails, they added.
"Twenty gigs of data is a lot of data in six months of really doing nothing," researcher Peter Kim told Wired's Kim Zetter on Friday. "And nobody knows this is happening."
In their report, Kim and colleague Garrett Gee identified two types of email-based attacks that could come through these doppelganger domains. One is a passive attack, similar to the method the researchers used in which they simply wait and receive messages sent to the wrong destination. The other involves impersonating a person and actively attempting to solicit sensitive information.
According to their findings, Kim and Gee received 425 emails that included the word "secret" and 402 that included the phrase "credit card." The words "UserID," "Password," and "Login" were included in 225, 405, and 495 emails, respectively, they said. "Contract" was mentioned in 417 messages, and "invoice" was included in 323 of them.
"After reviewing the WHOIS information from all Fortune 500 companies, Godai Group noticed of the many hi-tech firms had doppelganger domains registered to locations in China," Leyden said. "Many of these domains are already associated with malware and phishing, it warns."
On the Net: