We’re all familiar with well-known causes of data security breaches and identity fraud; phishing, malware attacks, and lack of cyber security protection are some of the most popular.  A lesser-known but just as lethal culprit in the world of data breaches is surprisingly, a person’s typing skills due to the fact that a simple typo can lead to typo-squatting also known as URL hijacking.

Typo-squatters count on accidental misspellings and typing errors of web addresses in a web browser’s address bar to get people to their page which can often be unscrupulous hacker sites designed to extract a person’s private information.  Typo-squatters buy up domains that are similar to popular domain addresses to lie in wait for web surfers to make typing mistakes which is now even more widespread with the popularity of touch screen devices.  For example, instead of typing dot-com, you mistakenly type dot-org and are transferred to an authentication or login page that asks you to input your account information and password before proceeding.  These pages are actually typo-squatted pages that were created to not only steal your information but they can also make you vulnerable to a computer virus or identity theft.  The most dangerous scenario is when a person uses the same user name and password for every website since a hacker then can access financial information such as banking and credit cards accounts using the stolen log-in information.  

Typo-squatters can also cause a business data breach by creating doppelganger domains for large companies that use subdomains for their various worldwide offices.  Business emails are intercepted when a user mistypes a recipient’s e-mail address.  Using a doppelganger domain, a hacker configures an email server to intercept any correspondence addressed to a person with that name.  Extra large companies with many subdomains are at the biggest risk since they have more employees with more email addresses which means more chances for typos.

A key way to practice data breach protection in preventing typo-squatting is to use a search engine to find a website instead of directly typing in the web address especially if you are searching for a financial institution.  All the big search engines will have companies’ legitimate web addresses as well as data protection and security software to scan for malware and prevent hacking.  Common sense is also another powerful tool to prevent a breach of data; if a site doesn’t look right, it probably isn’t so exit quickly and try again through a search engine.

A new form of data hacking has been exposed by two researchers who found ways to easily penetrate Fortune 500 companies through mistyped email addresses.

So-called typo-squatting – where criminals register for domains that are similar to those of legitimate businesses – has served as a fraudster tactic for years.  The newest twist on an old hack involves creating doppelganger domains by simply omitting the dot between a company’s host name and subdomain name.  This serves as an ideal tool to scoop up emails directed to a large corporation’s regional offices; for example, a hacker might register for seibm.com, as opposed to the true address of IBM’s Swedish division, se.ibm.com.

Researchers from information security firm Godai Group spent six months testing the effectiveness of this hack.  The results were alarming.  Thirty percent of the Fortune 500 companies targeted proved vulnerable to this security loophole, with the researchers able to collect 20 gigabytes of data, including emails that contained trade secrets, invoices, employee information, network diagrams, usernames and passwords.  Some of the largest Fortune 500 companies can have as many as 60 subdomains, all with a high volume of traffic, so this scam can reap huge rewards for determined hackers.

The newest typo-squatting technique can be used in two ways.  The first is passively, where a fraudster simply registers for a doppelganger domain, sets up an email server to catch any emails sent to this domain, and then waits for his in-box to fill up with data breach goodies.  If the fraudster wants to take things a step further, he can actively redirect emails to the intended recipients in order to get a reply.  With this “man in the middle” technique, the hacker sets up doppelganger domains for two companies that he knows are corresponding and writes a script to forward emails that he receives between the two entities, thus doubling his access to sensitive data.

How can doppelgangers be deterred?  Companies can mitigate their exposure to this threat by registering for doppelganger domains themselves, or – when those domains have already been snapped up – configuring their internal and external DNS servers to block those incorrect domains.  Above all, this latest incarnation of typo-squatting is a reminder of the need for vigilant security systems to ward off new and emerging data breach tactics.