Typosquatting hacks: Finger slips sink ships

Roger A Grimes looks at the threat of fake websites that exploit user misspellings

For nearly as long as DNS as has been around, aggressive advertisers and malicious doers have used a technique called typosquatting to take advantage of the fact that most of us aren't perfect typists: They buy up domains and set up realistic-looking yet malicious websites such as www.livve.com, www.live.cm, and www.liv.ecom to exploit users who incorrectly type live.com. I've considered typosquatting more of a nuisance than anything. The risk it poses isn't nearly as high as that of other pressing threats, such as unpatched vulnerabilities and fake antivirus scams. However, a new typosquatting vector has emerged that warrants warning: Researchers at security think tank Godai Group found that through typosquatting tactics, they were able to dupe people into sending them legitimate, private emails intended for Fortune 500 email servers. The researchers set up their own email servers using various typosquatting, also known as doppelganger domains. Unwitting users then sent legitimate email to these domains, most likely unaware of their mistake. According to the final report, "During a six–month span, over 120,000 individual emails (or 20GB of data) were collected, which included trade secrets, business invoices, employee PII, network diagrams, usernames and passwords, etc." If -- or rather, when -- an employee, partner, or customer types your email domain name incorrectly when sending a message, it is possible for the owner of a doppelganger domain to intercept it. The sender won't even receive a rejection message. A savvy squatter could send a plausible, convincing-looking response to further allay the sender's suspicions. I'm not sure that even I would be suspicious, and I've been in the IT security business for 20 years. The authors even detailed how to perform a man-in-the-middle email attack, such that the sender and the intended recipient are essentially unaware of the plot. In a nutshell, the typosquatter sets up two bogus domains: one of the sender's domain and one of the receiver's. When the sender emails a message to the receive, the squatter can intercept it (assuming it isn't protected using S/MIME or some other protection method), read it, then forward it on to the intended recipient's domain using the bogus version of the sender's domain. The receiver might not notice the misspelled domain name in sender address. Again, I'm not sure I would. This form of typosquatting attack hasn't been widely adopted yet, but the researchers have convincingly demonstrated it's a viable tact. More than likely, it is already being used in the real world. In fact, I'd bet that corporate-espionage types have been using email typosquatting for a long time. Why wouldn't they? The researcher hit a gold mine of confidential information in a few months of testing. The author also noted that several "doppleganger domains" are already registered to China, a hot bed of APT (advanced persistent threat) activity. As is generally the case, organisations can take steps to defend themselves. One common tactic is for a company to register as many domains as possible that are potential typosquatting targets. The best defense is a good offense. Second, it can't hurt to include information about this threat in the email security section of your end-user education documentation. Third (I got this idea from a client), consider using an outbound/inbound internet proxy that automatically forbids or detains network traffic sent from sources that are unrecognised or unranked by proxy content-subscription ranking services. I was skeptical of this client's approach at first, but he reports a very high success rate with a very low record of false positives. Readers, what other ideas do you have to combat typosquatting?

Join the newsletter!

Error: Please check your email address.

Tags Security IDtyposquatting

Show Comments