Configure your email system to prevent exploitation by doppelganger domains

Typo squatting has been around as long as the Internet Domain Naming System (DNS), but Net bandits have added a twist to the practice that appears to be very effective in intercepting corporate email.

In a typical typo squatting scenario, people register misspelled domain names of high traffic websites. The idea is to capture traffic they ordinarily wouldn’t get at their website and turn it into money, either through advertising at the site or by compromising the visitor’s computer by infecting it with malware.

A variation of that technique that’s gaining popularity uses “doppelganger domains” to exploit typos in corporate email addresses. Those typos result less from misspellings than from failing to properly punctuate addresses with subdomains.

For example, the URL for IBM Sweden is se.ibm.com. A doppelganger attacker would register the domain seibm.com to capture email whose authors forget to type in that pesky extra period.

Once the domain is registered, the dop sets up a server configured to catch all email traveling through the net addressed to someone at a misspelled email address for which they’ve set up a domain.

Now the bunco artist is ready to mount a classic “man-in-the-middle” attack. Misaddressed mail enters the dop’s server, is copied, and forwarded to its destination with the doppelganger domain in the return address. If a response is sent from its destination, it will travel back to the dop server, be copied, and then sent on its way to the original sender. Those exchanges can continue indefinitely.

But who really types in email addresses anymore? Apparently, a lot of people.

Two researchers at the Godai Group set up 30 doppelganger domains and in six months, they were able to intercept 20 gigbytes of data. In that data were invoices, contracts, employee credit card and banking information, configuration details for the external routers of a large IT consulting company and the passwords for accessing the devices, and information for accessing the VPN network of a company that manages motorway tolls in the United States.

“Each company in the Fortune 500 was profiled for susceptibility to doppelganger domains and 151 companies (or 30%) were found to be susceptible,” wrote the researchers, Peter Kim and Garrett Gee, in a recently released report.

“In large corporations, email usage is extremely high which dramatically increases the likelihood of mis-sent emails and data leakage,” they explained.

Remarkably, they discovered, only one company detected its doppelganger and only two users noticed they were sending mail to a dop.

Kim and Gee also noted [pdf] that many doppelgangers had already been created for the world’s largest corporations, including Cisco, Dell, HP, IBM, Intel and Yahoo. Most of those dops were owned by entities in China, they added.

What’s an email administrator to do to counter this kind of attack?

  • Persuade your company to buy up and register all your doppelganger domains. Then configure your external DNS server to bounce mails sent to the dops.
  • If you discover a doppelganger domain, file a Uniform Domain Dispute  Resolution Policy complaint with ICANN.
  • Configure your internal DNS servers not to resolve doppelganger domains. Of course, that will only affect the outbound email of your organization. External email could still be picked off by the dops.
  • As an alternative to configuring your DNS server, you can configure your email server to block any outbound mail headed for a dop.
  • Let everyone in your business network—employees, customers and partners—know about the doppelganger domain so they’ll be aware of the attack.
  • You can also make sure that auto-addressing is turned on across your system. If your users don’t have to type in email addresses, then they can’t make typos in them.
Written by John P Mello Jr

John Mello is a freelance writer who has written about business and technical subjects for more than 25 years. He is frequent contributor to the ECT News Network and his work has appeared in a number of periodicals, including Byte magazine, PC World, Computerworld, CIO magazine and the Boston Globe

4 Comments

  1. Alan Manders · September 29, 2011

    A disturbing practice, to be sure. These things can definitely be handled if they come up, but the findings in that study are particulary interesting in how people were so fully unaware of what was happening on either side. That only 1 company recognized the doppleganger indicates a very serious problem.

  2. Sabine Lenz · September 30, 2011

    One of the most famous doppelganger exploits was with PayPal.com. The scammers registered the domain PayPa1.com and designed the website to look like the real PayPal. If you look at it, you can’t distinguish the two domain names.

    But at a closer inspection you can see the difference. The real one is PayPal (with an “l” at the end). The fake one is PayPa1 (with the number “1” at the end).

    It’ a link bait. They don’t take advantage of the misspellings.

    Since then, PayPal bought the domain name to rid out confusions from its users. Try it now and PayPa1.com will redirect to the real PayPal website.

  3. Ross Diamond · October 6, 2011

    Thanks for the great info Sabine. This is really true for me especially now that I’m wearing thick glasses with more grades. It’s really easy to get confused between PayPal and PayPa1. They’re almost the same.

    This just proves that online scammers out there are exploiting every hole they can get. Finance and banking institutions here and abroad are also becoming favorite targets of these criminals.

    Let’s just be proactive when browsing the World Wide Web, especially when we’re transacting money.

  4. Qman · October 7, 2011

    Typosquatting… what’s next? It’s almost certain that every email platform always has a loophole. That’s why I lost my faith to email because of this type of issue.

    Without biases and I’m just being fair, I think we should all migrate to Instant Messaging or some sort of email-IM hybrid.

    Take for instance what Gmail and Facebook did for its system. You can now check your inbox and at the same time do IM. Cool ha? This will get rid of this kind of email scam.

Leave A Reply