Stealing data through doppelganger domains

October 18, 2011 by ofonseca

A new form of data hacking has been exposed by two researchers who found ways to easily penetrate Fortune 500 companies through mistyped email addresses.

So-called typo-squatting – where criminals register for domains that are similar to those of legitimate businesses – has served as a fraudster tactic for years.  The newest twist on an old hack involves creating doppelganger domains by simply omitting the dot between a company’s host name and subdomain name.  This serves as an ideal tool to scoop up emails directed to a large corporation’s regional offices; for example, a hacker might register for seibm.com, as opposed to the true address of IBM’s Swedish division, se.ibm.com.

Researchers from information security firm Godai Group spent six months testing the effectiveness of this hack.  The results were alarming.  Thirty percent of the Fortune 500 companies targeted proved vulnerable to this security loophole, with the researchers able to collect 20 gigabytes of data, including emails that contained trade secrets, invoices, employee information, network diagrams, usernames and passwords.  Some of the largest Fortune 500 companies can have as many as 60 subdomains, all with a high volume of traffic, so this scam can reap huge rewards for determined hackers.

The newest typo-squatting technique can be used in two ways.  The first is passively, where a fraudster simply registers for a doppelganger domain, sets up an email server to catch any emails sent to this domain, and then waits for his in-box to fill up with data breach goodies.  If the fraudster wants to take things a step further, he can actively redirect emails to the intended recipients in order to get a reply.  With this “man in the middle” technique, the hacker sets up doppelganger domains for two companies that he knows are corresponding and writes a script to forward emails that he receives between the two entities, thus doubling his access to sensitive data.

How can doppelgangers be deterred?  Companies can mitigate their exposure to this threat by registering for doppelganger domains themselves, or – when those domains have already been snapped up – configuring their internal and external DNS servers to block those incorrect domains.  Above all, this latest incarnation of typo-squatting is a reminder of the need for vigilant security systems to ward off new and emerging data breach tactics.