Typo squatting has been around as long as the Internet Domain Naming System (DNS), but Net bandits have added a twist to the practice that appears to be very effective in intercepting corporate email.
In a typical typo squatting scenario, people register misspelled domain names of high traffic websites. The idea is to capture traffic they ordinarily wouldn’t get at their website and turn it into money, either through advertising at the site or by compromising the visitor’s computer by infecting it with malware.
A variation of that technique that’s gaining popularity uses “doppelganger domains” to exploit typos in corporate email addresses. Those typos result less from misspellings than from failing to properly punctuate addresses with subdomains.
For example, the URL for IBM Sweden is se.ibm.com. A doppelganger attacker would register the domain seibm.com to capture email whose authors forget to type in that pesky extra period.
Once the domain is registered, the dop sets up a server configured to catch all email traveling through the net addressed to someone at a misspelled email address for which they’ve set up a domain.
Now the bunco artist is ready to mount a classic “man-in-the-middle” attack. Misaddressed mail enters the dop’s server, is copied, and forwarded to its destination with the doppelganger domain in the return address. If a response is sent from its destination, it will travel back to the dop server, be copied, and then sent on its way to the original sender. Those exchanges can continue indefinitely.
But who really types in email addresses anymore? Apparently, a lot of people.
Two researchers at the Godai Group set up 30 doppelganger domains and in six months, they were able to intercept 20 gigbytes of data. In that data were invoices, contracts, employee credit card and banking information, configuration details for the external routers of a large IT consulting company and the passwords for accessing the devices, and information for accessing the VPN network of a company that manages motorway tolls in the United States.
“Each company in the Fortune 500 was profiled for susceptibility to doppelganger domains and 151 companies (or 30%) were found to be susceptible,” wrote the researchers, Peter Kim and Garrett Gee, in a recently released report.
“In large corporations, email usage is extremely high which dramatically increases the likelihood of mis-sent emails and data leakage,” they explained.
Remarkably, they discovered, only one company detected its doppelganger and only two users noticed they were sending mail to a dop.
Kim and Gee also noted [pdf] that many doppelgangers had already been created for the world’s largest corporations, including Cisco, Dell, HP, IBM, Intel and Yahoo. Most of those dops were owned by entities in China, they added.
What’s an email administrator to do to counter this kind of attack?
- Persuade your company to buy up and register all your doppelganger domains. Then configure your external DNS server to bounce mails sent to the dops.
- If you discover a doppelganger domain, file a Uniform Domain Dispute Resolution Policy complaint with ICANN.
- Configure your internal DNS servers not to resolve doppelganger domains. Of course, that will only affect the outbound email of your organization. External email could still be picked off by the dops.
- As an alternative to configuring your DNS server, you can configure your email server to block any outbound mail headed for a dop.
- Let everyone in your business network—employees, customers and partners—know about the doppelganger domain so they’ll be aware of the attack.
- You can also make sure that auto-addressing is turned on across your system. If your users don’t have to type in email addresses, then they can’t make typos in them.