Missing dots from email addresses opens 20GB data leak

Filed Under: Data loss, Privacy

Security researchers have captured 120,000 emails intended for Fortune 500 companies by exploiting a basic typo. The emails included trade secrets, business invoices, personal information about employees, network diagrams and passwords.

Researchers Peter Kim and Garrett Gee did this by buying 30 internet domains they thought people would send emails to by accident (a practice known as typosquatting).

The domain names they chose were all identical to subdomains used by Fortune 500 companies save for a missing dot.

Having purchased the domains they simply sat back and watched as users mistakenly sent them over 120,000 emails in six months.

Kim and Garrett have not identified their targets but have revealed that they were chosen from a list of 151 Fortune 500 companies they regarded as vulnerable to their variation of typosquatting. The list is jam-packed with household names like Dell, Microsoft, Halliburton, PepsiCo and Nike.

The emails they collected included some worryingly sensitive corporate information, including:

  • Passwords for an IT firm's external Cisco routers
  • Precise details of the contents of a large oil company's oil tankers
  • VPN details and passwords for a system managing road tollways

The researchers also warn of how easy it would have been to turn their passive typosquatting into an even more dangerous man-in-the-middle attack. Such an attack would have allowed them to capture entire email conversations rather than just individual stray emails.

To perform a man-in-the-middle attack an attacker would simply forward copies of any emails they receive to the addresses they were supposed to go to in the first place. The forwarded emails would be modified to contain a bogus return addresses owned by the attacker.

By forwarding and modifying emails in this way the attacker establishes themselves as a silent rely between all the individuals in the conversation.

Man in the Mailbox example attack

Typosquatting isn't new so it's striking that the researchers managed to capture so much information by focusing on just one common mistake. They captured 20GB of data in six months using only basic technical skills and 30 domains costing no more than a few dollars each.

A determined attacker with a modest budget could easily afford to buy domains covering a vast range of organisations and typos.

During their six month typosquat only one of the target companies took action against Kim and Garrett.

So how can you protect yourself from this kind of unwanted eavesdropping?

First and foremost make sure you encrypt and password protect sensitive data so that if it does end up in the wrong hands it can't be used.

Organisations can also prevent emails being sent to specific misspelled domains through their DNS or mail server configurations. Of course this approach won't prevent people outside your organisation from misspelling your domains.

To defend yourself against that you might defensively purchase domains that look like good typosquatting targets.

Finally if you believe somebody is using typosquatting to attack your company you may wish to file a Uniform Domain Dispute Resolution Policy (UDRP) against them.

If you'd like to read more about this research Peter Kim and Garrett Gee's paper "Doppelganger Domains" is available to download from Wired.

, , , , , , , ,

You might like

9 Responses to Missing dots from email addresses opens 20GB data leak

  1. Richard Hodgson · 1486 days ago

    Of course, the forwarding with spoofed senders could be foiled with properly configured SPF records, if the receiving mail server is configured to check these properly.

    • Nicolas de Leon · 1485 days ago

      The spoofed senders' domains are under the control of the attacker, though. SPF would have no effect.

  2. apart from buying all the typo domains is there anything else that can be done on the mail server side to prevent data from leaking?

  3. I think that I'd disagree with "First and foremost make sure you encrypt and password protect sensitive data so that if it does end up in the wrong hands it can't be used.". First, don't send emails to the wrong address.

    Based on the fact that the researchers then forwarded the emails, I wonder if this breaches the UK Computer Misuse Act as it has caused a computer to execute a process. Nevertheless, if I ran a company with pots of cash and someone tried to do this (and by the by gained something from it, such as research notoriety) then I'd be inclined to call the lawyers.

    Evil twins have always been an issue.

    Chin Chin

    • markstockley · 1485 days ago

      Unfortunately even if you never make a mistake in typing email addresses you're still vulnerable to other forms of snooping. By encrypting sensitive data you'll give yourself by far the best defence.

    • Kasun · 1484 days ago

      I guess it doesn't breach Computer misuse act as long as it is done for educational purpose.


  4. Jeffster11 · 1485 days ago

    Blah, blah, blah, The real truth is that it was 19.999GB of spam.

  5. GoodGrief · 1411 days ago

    Thanks for spreading this capability and the "how to" far and wide. Nothing like responsible reporting, eh?

    • Darr247 · 1410 days ago

      Yeah, well the only reason they did it on just 30 names out of the fortune 500 was because the other 470 were already being typosquatted.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Mark Stockley is an independent web consultant who's interested in literally anything that makes websites better. Follow him on Twitter at @MarkStockley