Don’t turn off the spell checker in your email software!

Two researchers who set up doppelganger domains to mimic legitimate domains belonging to Fortune 500 companies say they managed to vacuum up 20 gigabytes of misaddressed e-mail over six months.

The intercepted correspondence included employee usernames and passwords, sensitive security information about the configuration of corporate network architecture that would be useful to hackers, affidavits and other documents related to litigation in which the companies were embroiled, and trade secrets, such as contracts for business transactions.

“Twenty gigs of data is a lot of data in six months of really doing nothing,” said researcher Peter Kim from the Godai Group. “And nobody knows this is happening.”

Well – truly conscientious IT departments are aware of the problem.

Doppelganger domains are ones that are spelled almost identically to legitimate domains, but differ slightly, such as a missing period separating a subdomain name from a primary domain name — as in the case of seibm.com as opposed to the real se.ibm.com domain that IBM uses for its division in Sweden.

Kim and colleague Garrett Gee, who released a paper this week (.pdf) discussing their research, found that 30%, or 151, of Fortune 500 companies were potentially vulnerable to having e-mail intercepted by such schemes, including top companies in consumer products, technology, banking, internet communication, media, aerospace, defense, and computer security…

The e-mails they collected included one that listed the full configuration details for the external Cisco routers of a large IT consulting firm, along with passwords for accessing the devices. Another e-mail going to a company outside the U.S. that manages motorway toll systems provided information for obtaining full VPN access into the system that supports the road tollways. The e-mail included information about the VPN software, usernames, and passwords.

One e-mail contained contracts for oil barrel sales from the Middle East to large oil firms; another contained a daily report from a large oil firm detailing the contents of all of its tankers that day. A third e-mail included ECOLAB reports for a popular restaurant, including information about problems the restaurant was having with mice. ECOLAB is a Minnesota-based firm that provides sanitizing and food safety products and services to companies.

Company information wasn’t the only data at risk of interception. The researchers were also able to gather a wealth of employee personal data, including credit card statements and information that would help someone access an employee’s online bank accounts…

Kim said that out of the 30 doppelganger domains they set up, only one company noticed when they registered the domain and came after them threatening a lawsuit unless they released ownership of it, which they did. He also said that out of the 120,000 e-mails that people had mistakenly sent to their doppelganger domains, only two senders indicated they were aware of the mistake.

Sad thing is – this ain’t anything new. Keeping an eye out for typo-squatters is something a security conscious IT department includes in their daily repertoire.

I discussed this with my favorite banking IT person and they made the point that a significant number of users don’t comprehend the difference between an intranet and the Internet. They’re liable to send confidential info in an unencrypted email because it’s just a “casual” request from someone else who works for the same firm. Filtering for sensitive topics is a necessity – requiring a live human being to peer at content and address before releasing a questionable email into the wild.

2 thoughts on “Don’t turn off the spell checker in your email software!

  1. Linear Fix says:

    Shows the importance of checking the domain name when sending.Email web services should try to verify that domains are owned by the correct company by using certificates. I think GMail does this to a certain extent.

    • moss says:

      Good as long as the certificates are legit. Hasn’t been a problem especially in the past – but, note the quickest and easiest fix from Apple for OS X users to deal with the slipshod management at DigiNotar – whose certificates were stolen – was to block them altogether.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.