Researchers Snatch 20gb of Email from Fortune 500 Companies Thanks to Typos
Sometimes it doesn’t take much to ferret out oodles of corporate secrets. For instance, researchers Peter Kim and Garrett Gee with the Godai Group information security think-tank were able to net 20gb of email correspondence by doing, in his own words, nothing. Nothing, except setting up 30 email domains that used common misspellings of fortune 500 company email addresses.
With the domains in place, Kim said he only had to sit back and wait while the misaddressed emails rolled in. Within six months, he acquired some 120,000 emails. Many of these apparently had individual user names and passwords, security information for outward facing servers, and personal information that could have been used to steal identities.
While it may be comforting to see that this was done by researchers, not malicious-minded thieves, the researchers say that their trick is already being employed around the globe. Among the companies with dummy domains based off common misspellings, the team identified Cisco, Dell, HP, IBM, Intel, Manpower, and Yahoo. Whether or not the domains were being used to nab email is unclear, but the domains were apparently registered in China by persons associated with malicious activity in the past. In their report, the researchers concluded that 30% of Fortune 500 companies (that’s 151 companies for those playing along at home) were vulnerable to this sort of scam.
The problem is compounded for companies that employ subdomains. For instance, were Geekosystem to have an office in Germany, their email server might be “de.geekosystem.com.” Someone aiming to intercept mail headed to that office could register the domain “degeekosystem.com” and then wait for someone to screw up.
To guard against this typographical vulnerability, the researchers recommend that companies vigilantly purchase and secure domains that could be used in an interception scheme. This could be difficult if the domains have already been purchased, but according to Wired:
Kim recommends that companies configure their networks to block DNS and internal e-mails sent by employees that might get incorrectly addressed to the doppelganger domains.
Pedants in the audience will surely relish this news, since it proves once again that every word counts and little errors can cause huge problems. However, this research also seems to indicate how unaware these companies are of the possible threats. Wired quotes Kim as saying that of the 30 dummy domains they set up, only one company noticed and threatened suit. More telling is that from all the mail they intercepted, they saw only two senders attempted discern where the misaddressed message had gone.