Typosquatting: Who is REALLY reading that email you just sent?

Wired magazine recently reported that researchers at the Godai Group collected over 20GB of highly confidential and crucial information from various Fortune 500 companies, through the simple (and dastardly) technique of “TypoSquatting”.

TypoSquatting is a very basic type of exploit, that can easily be run by the most novice of hackers. It employes a “doppelganger” domain (that is, a domain that is almost identical to the target domain, but differs in extremely minor ways) to catch emails and/or web traffic that was mistyped. Effective attacks make particular use of common misspellings, extremely long domain names, and other commonly “typo’d” domains. A few examples would be “e v erlysystems.com” for this website, or perhaps “ya j oo.com’ for a major search provider.

Execution of the attack is extremely simple – the attacker establishes the domain, creates a catch-all email account, and sits and waits (for months, years, or indefinitely) as emails come wandering in from users who simply mis-typed or mis-spelled their intended recipient. As a result, confidential conversations, trade secrets, sensitive documents, or even user credentials can be gathered and stored, with little or no interaction on the hackers part. A simple search of the collected emails can yield extremely valuable and volatile information!

I have personally experienced an even more aggressive type of attack (and more commonly known), called “Phishing”. Phishing can be accomplished many ways, but in this particular instance, the attacker combined Phishing with a Doppelganger domain, to make it appear as if a legitimate company and employee had intentionally placed a large order with a client of mine. Clicking the provided link in the persons signature took me to the company website, which was in perfect order, contained real, current information and employee profiles, and was even verifiable through the Better Business Bureau and online searches. However, careful inspection of the email revealed the attack. A barely noticeable swap of an “i” and “e” in the email address’s domain name disguised a clever ruse to defraud – copying the Sent From email domain (not the one included in the signature’s link) took you to a totally separate, “under construction’ dead-end. Replying to that email, and ESPECIALLY conducting business with the individual on the other end, would have ended badly for!

To sharpen the point, consider these details from Wired’s write-up…

“The e-mails they collected included one that listed the full configuration details for the external Cisco routers of a large IT consulting firm, along with passwords for accessing the devices. Another e-mail going to a company outside the U.S. that manages motorway toll systems provided information for obtaining full VPN access into the system that supports the road tollways. The e-mail included information about the VPN software, usernames, and passwords.

The researchers also collected an assortment of invoices, contracts and reports in their stash. One e-mail contained contracts for oil barrel sales from the Middle East to large oil firms; another contained a daily report from a large oil firm detailing the contents of all of its tankers that day.

A third e-mail included ECOLAB reports for a popular restaurant, including information about problems the restaurant was having with mice. ECOLAB is a Minnesota-based firm that provides sanitizing and food safety products and services to companies.”

So… take notice. Whenever possible, don’t hand-type that important email address. Instead, be sure to “reply’ to the senders message. If you HAVE to type it, double and triple check it against the persons business card, website, or other published source. If you must send sensitive information, always send a probing email without any sensitive data – a savvy user will understand why you sent a simple “Hi Bob, is this the best address to use?” before you send over that important item.