Typosquatting: How mistyped emails can ruin a company

14 09 2011
by Daniel Nordstrom

5 Minutes until you go home and relax for the weekend, but one last email stands in your way. You finish writing the email and are carelessly accepting all of the spell check recommendations, and you hit the send button when another message comes up. You bypass this message by hitting the send button again, not even reading what it was. Now you are free of work for another weekend and heading to happy hour, but little do you know that the email you sent out with the most recent sales numbers was addressed incorrectly and just landed in the inbox of a malicious website. What will they do with this data? Will they sell it? Will they try to use it to gain more information about your company by emailing you back? In today’s email driven world this happens far to often.

A recent research project by Peter Kim and Garrett Gee from the Godai Group received 120,000 emails using typosquatting. The data they collected also contained 20 GB of corporate data [1]. The types of data that the Godai group received ranged from trade secrets and invoices, to usernames and passwords [3]. Typosquatting is the process of buying a website domain that is very similar to another website, but missing or replacing a single character. The method that the Godai group used to receive the e-mails, “relies on mistakes of omission rather than misspelling.” An example of this that the researchers say they didn’t use would be Dell’s China website. Dell’s China website is http://chn.dell.com, and the typosquatting address would be http://chndell.com [2]. As you can see only a single dot is missing between chn and dell. Of the Fortune 500 companies Godai found that 151 or 30% of them were vulnerable to attack [3]. This statistic would probably be higher when you include companies that do not have enough money or time to buy or monitor web domains that are close to their web domain. Having a website that is typosquatting is only part 1 of these attacks, many hackers will try to use the emails sent to these website to gather more information.

Using the example of the Dell China websites, the domain names differed by only a single character, making it relatively easy for a customer to type the fake http. into their address bar, or send an email to the fake website. If an email were sent to the imposter website regarding a purchase that they had made, the owner of the fake website could then respond, asking how they purchased the computer and under what credit card number. Once the customer responded the operators of the imposter website would have the customers credit card information. Once this happens the malicious attacker could use the credit card for purchases online, and the Dell customer would have no idea how their credit card information was stolen. This loss would not be very significant in the long term, but if an employee of a company did the same thing the results could be much more drastic. So how do we protect ourselves from this type of fraud?

The Godai company suggests the answer to typosquatting is to buy up domain names that are similar to the companies own domain name, or if the domain is purchased they can register a dispute against the website [3]. The alternate suggestion is to prevent messages from being sent to these domain names, by having the companies email program block the emails from being sent. These are both good suggestions, but they fail to take into account company interaction and sharing of information. Preventing clients from sending confidential information to a spoofed website, is only one aspect of the problem. What if your employee’s have to send data to an external company? They could easily fall into the same malicious trap of imposter domain names and email addresses.

It is my belief that companies should configure their email programs to only allow their employees to send emails or files to certain web domains. This would entail creating an evolving master list of registered domain names, and yes it will cost the companies some money, a little time, and end up delaying information transfers for a short period. However, the benefits of adding this security measure would far outweigh the cost and inconvenience of the initial setup, and prevent security glitches in regards to fake domain names from occurring. In Information Security it just takes one time and the malicious attacker could end up with all the data they need to do significant harm to a company.

[1] http://www.securityweek.com/research-project-shows-how-typos-and-misspelled-domains-lead-massive-data-loss
[2] http://abcnews.go.com/blogs/technology/2011/09/typosquatting-one-typo-can-create-online-security-breach/
[3] http://www.theregister.co.uk/2011/09/09/typo_squatting_email_harvesting_risk/




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: