Bookmark and Share

September 9, 2011

Typosquatting: Who is REALLY reading that email you just sent?

Filed under: Computer Ramblings,General Ramblings,Security Ramblings,Social Ramblings — Tags: , , , , — Kordel Eberly @ 9:34 pm

Wired magazine recently reported that researchers at the Godai Group collected over 20GB of highly confidential and crucial information from various Fortune 500 companies, through the simple (and dastardly) technique of “TypoSquatting”.

TypoSquatting is a very basic type of exploit, that can easily be run by the most novice of hackers. It employes a “doppelganger” domain (that is, a domain that is almost identical to the target domain, but differs in extremely minor ways) to catch emails and/or web traffic that was mistyped. Effective attacks make particular use of common misspellings, extremely long domain names, and other commonly “typo’d” domains. A few examples would be “everlysystems.com” for this website, or perhaps “yajoo.com’ for a major search provider.

Execution of the attack is extremely simple – the attacker establishes the domain, creates a catch-all email account, and sits and waits (for months, years, or indefinitely) as emails come wandering in from users who simply mis-typed or mis-spelled their intended recipient. As a result, confidential conversations, trade secrets, sensitive documents, or even user credentials can be gathered and stored, with little or no interaction on the hackers part. A simple search of the collected emails can yield extremely valuable and volatile information!

I have personally experienced an even more aggressive type of attack (and more commonly known), called “Phishing”. Phishing can be accomplished many ways, but in this particular instance, the attacker combined Phishing with a Doppelganger domain, to make it appear as if a legitimate company and employee had intentionally placed a large order with a client of mine. Clicking the provided link in the persons signature took me to the company website, which was in perfect order, contained real, current information and employee profiles, and was even verifiable through the Better Business Bureau and online searches. However, careful inspection of the email revealed the attack. A barely noticeable swap of an “i” and “e” in the email address’s domain name disguised a clever ruse to defraud – copying the Sent From email domain (not the one included in the signature’s link) took you to a totally separate, “under construction’ dead-end. Replying to that email, and ESPECIALLY conducting business with the individual on the other end, would have ended badly for!

To sharpen the point, consider these details from Wired’s write-up…

“The e-mails they collected included one that listed the full configuration details for the external Cisco routers of a large IT consulting firm, along with passwords for accessing the devices. Another e-mail going to a company outside the U.S. that manages motorway toll systems provided information for obtaining full VPN access into the system that supports the road tollways. The e-mail included information about the VPN software, usernames, and passwords.

The researchers also collected an assortment of invoices, contracts and reports in their stash. One e-mail contained contracts for oil barrel sales from the Middle East to large oil firms; another contained a daily report from a large oil firm detailing the contents of all of its tankers that day.

A third e-mail included ECOLAB reports for a popular restaurant, including information about problems the restaurant was having with mice. ECOLAB is a Minnesota-based firm that provides sanitizing and food safety products and services to companies.”

So… take notice. Whenever possible, don’t hand-type that important email address. Instead, be sure to “reply’ to the senders message. If you HAVE to type it, double and triple check it against the persons business card, website, or other published source. If you must send sensitive information, always send a probing email without any sensitive data – a savvy user will understand why you sent a simple “Hi Bob, is this the best address to use?” before you send over that important item.

August 4, 2010

How to Deal with Spam (of the non-edible variety)

Filed under: Computer Ramblings,General Ramblings,Security Ramblings,Technical Ramblings,The Great Tech Blog-Off — Tags: , , , , — JeremyGonyea @ 4:27 pm

We’ve all seen them: a seemingly innocent email arrives purporting to be from your company’s Help Desk, your system administrator, or some wealthy prince of Nigeria. These emails ask for personal information such as usernames, passwords, bank account information, or even money. Responding to such emails often results in locked accounts, boatloads of more incoming spam, or worse. Below are some hints to help you recognize these emails:

What is Spam?

Spam is unsolicited email. Much like the “junk mail” from the normal post office, these messages can simply be erased or ignored. In order to limit the amount of spam arriving to your email inbox, many email services utilize a spam filtering service (i.e. Google’s Postini service) to automatically check and block potential spam messages.
There are different types of spam messages:

Some spam messages want you to purchase things. These are mostly harmless, and can be blocked and deleted.
A spam email may contain a file attachment, usually containing malicious software (malware) to infect your machine. The virus can steal information without your knowledge as well as use your machine in future attacks on other machines.
A phishing email is one that attempts to “fish out” information, including usernames and passwords, social security numbers, bank account information, etc. Once the phisher has this information, they use the compromised account to, in turn, send out thousands of similar messages to other unsuspecting recipients. Reputable institutions will NEVER ask for your username and password via email. Once other organizations see compromised email addresses sending thousands of spam messages, they block all further emails from that domain, including legitimate correspondences, in an effort to protect their own users. This causes a disruption in communication as recipients having addresses from other domains (i.e. Live, Gmail, Hotmail) no longer receive messages from you.

Some messages are still getting through my email’s spam service. What should I do?

DO NOT RESPOND TO THE EMAIL!! First, if your email provider supports it, submit the email to their spam service. If you are unsure whether or not a message is spam, please contact either your company’s Help Desk or possibly even your email service provider. Finally, be aware of what sites are asking for your email address. Check if their privacy policies will protect your information or if they send that personal information onto other third parties.

I may have given my information to a phisher. What should I do?

Everyone makes mistakes sometimes. If you feel that you may have compromised your account, contact your account provider immediately. If you still can log into the account, change the password as soon as possible to prevent any malicious usage on your account. Make an appointment with your company’s Help Desk as soon as possible. The worst thing you could do is ignore this! Take action immediately!

Privacy Policy | Terms & Conditions | Related Sites | SpyderMap | Web Portal | Exchange Links | Affiliates