Two researchers set up doppelganger domains to intercept email’s with mistyped company domains and collected 20GB of emails over a 6 month period.
Email’s included a lot of sensitive company data, including employee info, legal documents pertinent to the company and network configuration data. “Twenty gigs of data is a lot of data in six months of really doing nothing,” said researcher Peter Kim from the Godai Group. “And nobody knows this is happening.”
Doppelganger domains are domains that are spelled almost exactly like legitimate domains, usually missing a period or letter such as uscisco.com instead of us.cisco.com.
The researchers found that 30% of Fortune 500 companies were potentially vulnerable from such attacks. They also found many of these doppelganger domains had already been registered, many of them in China.
Attackers could also set up man-in-the-middle attacks so they get emails then forward them to the real recipient. A victim could send emails back and forth without ever noticing something is wrong.
Of the 120,000 emails their doppleganger domains got, only 2 senders noticed something was wrong. Of the 30 domains they set up only 1 company noticed they had registered the domain and threatened a lawsuit if the researchers didn’t turn over ownership, which they did.
Companies can always buy up these domains to protect themselves, or block DNS and any internal emails to these domains as Kim seggests. Though this will not protect from email sent from outside the company to the doppleganger in the first place.
This is a somewhat hard problem to fix since most people will mistype some of the email they send, however we should be trying to educate users to watch out for this type of attack and/or validate that you are talking with the right person before sending sensitive information.