Email Domain-Squatting: A Case Study

By Deane Barker on September 19, 2011

Researchers’ Typosquatting Stole 20 GB of E-Mail From Fortune 500: Combine a domain name with a spelling very close to a Fortune 500 company with a catch-all email account, and what do you get?  A crapload of sensitive information, it turns out.

Two researchers who set up doppelganger domains to mimic legitimate domains belonging to Fortune 500 companies say they managed to vacuum up 20 gigabytes of misaddressed e-mail over six months.

The intercepted correspondence included employee usernames and passwords, sensitive security information about the configuration of corporate network architecture that would be useful to hackers, affidavits and other documents related to litigation in which the companies were embroiled, and trade secrets, such as contracts for business transactions.

Worse yet, hardly anyone noticed:

Kim said that out of the 30 doppelganger domains they set up, only one company noticed when they registered the domain and came after them threatening a lawsuit unless they released ownership of it, which they did.

He also said that out of the 120,000 e-mails that people had mistakenly sent to their doppelganger domains, only two senders indicated they were aware of the mistake.



Comments are closed. If you have something you really want to say, tweet @gadgetopia.