Mislaid dots from email addresses opens 20GB statistics leak

Safety measures researchers have captured 120,000 emails planned for Fortune 500 companies by exploit a basic typo. The emails built-in trade secret, business invoices, personal information about workers, network diagrams and passwords. Researchers Peter Kim and Garrett Gee did this by trade 30 internet domains they thought people would send emails to by accident.

The domain names they choose were all the same to sub domains used by Fortune 500 companies save for a missing dot. Having purchased the domains they just sat back and watched as users incorrectly sent them over 120,000 emails in six months.

 

Kim and Garrett have not recognized their targets but have exposed that they were selected from a list of 151 Fortune 500 companies they regarded as vulnerable to their variation of typo squatting. The list is jam-packed with family names like Dell, Microsoft, Halliburton, PepsiCo and Nike.

The emails they collected included some worryingly sensitive corporate information, including:

Passwords for an IT firm’s external Cisco routers

Precise details of the contents of a large oil company’s oil tankers

VPN details and passwords for a system managing road tollways

 

The researchers also warn of how simple it would have been to turn their passive typo squatting into an even more unsafe man-in-the-middle attack. Such an assault would have allowed them to capture entire email conversations rather than just person stray emails.

To perform a man-in-the-middle attack an attacker would simply forward copies of any emails they receive to the addresses they were supposed to go to in the first place. The forwarded emails would be modified to contain a bogus return addresses owned by the attacker.

By forwarding and modifying emails in this way the attacker establishes themselves as a silent rely between all the individuals in the conversation.

Typo squatting isn’t new so it’s striking that the researchers managed to capture so much information by focusing on just one common mistake. They captured 20GB of data in six months using only basic technical skills and 30 domains costing no more than a few dollars each.

A determined attacker with a modest budget could easily afford to buy domains covering a vast range of organizations and typos.During their six month typo squat only one of the target companies took action against Kim and Garrett.

So how can you protect yourself from this kind of unwanted eavesdropping?

First and foremost make sure you encrypt and password protect sensitive data so that if it does end up in the wrong hands it can’t be used.Organisations can also prevent emails being sent to specific misspelled domains through their DNS or mail server configurations. Of course this approach won’t prevent people outside your organization from misspelling your domains.

 

To defend yourself against that you might defensively purchase domains that look like good typo squatting targets. Finally if you believe somebody is using typo squatting to attack your company you may wish to file a Uniform Domain Dispute Resolution Policy (UDRP) against them.

This entry was posted in Email fraud, email hoaxes, email scam, email spam and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Nigerianspam.com is dedicated to all the hardworking people who have been scammed by the spammer or 419 scam frauds. Although our site concentrates on providing awareness of Nigerian 419 spam (scam), scam baiting, advance fee fraud, scam phising, also we deal with other types of fraud such as letter spam, e-mail scam, lottery spam as well. You can go through our scam baiting tips, it is just amazing way to deal with the spammer or scammer.

Nigerian Scam  |   419 Scam   |   Features of Scam  |   Mission  |   Research  |   Mail Archives  |   About Us   |   File A Complaint  |   Spam News  |   Origin Of Scam   |   Operation Of Scam   |   Consequences   |   Miscellaneous Scams   |   Scam Sites   |   FAQ   |   Contact Us  |   Scam Resources Links  |   Nigerian Scammers  |   Site Map  |   Mail Archives SiteMap  |   Scam Glossary  |   Scam Resources Books  |   Scam Checker Tool  |   Scam baiting   |   More Scam Sites  |  Scam Awareness Quiz  |   Celebrity Scam  |  Search Engine Genie  |   Bharat Udyog Ratna Award Scam Alert  |   Jeff Adams Real Estate Seminar   |   Russ Whitney Real Estate
free hit counter