Two researchers who set up doppelganger domains to mimic legitimate domains belonging to Fortune 500 companies say they managed to vacuum up 20 gigabytes of misaddressed e-mail over six months.
The intercepted correspondence included employee usernames and passwords, sensitive security information about the configuration of corporate network architecture that would be useful to hackers, affidavits and other documents related to litigation in which the companies were embroiled, and trade secrets, such as contracts for business transactions.
“Twenty gigs of data is a lot of data in six months of really doing nothing,” said researcher Peter Kim from the Godai Group. “And nobody knows this is happening.”
Well – truly conscientious IT departments are aware of the problem.
Doppelganger domains are ones that are spelled almost identically to legitimate domains, but differ slightly, such as a missing period separating a subdomain name from a primary domain name — as in the case of seibm.com as opposed to the real se.ibm.com domain that IBM uses for its division in Sweden.
Kim and colleague Garrett Gee, who released a paper this week (.pdf) discussing their research, found that 30%, or 151, of Fortune 500 companies were potentially vulnerable to having e-mail intercepted by such schemes, including top companies in consumer products, technology, banking, internet communication, media, aerospace, defense, and computer security…
The e-mails they collected included one that listed the full configuration details for the external Cisco routers of a large IT consulting firm, along with passwords for accessing the devices. Another e-mail going to a company outside the U.S. that manages motorway toll systems provided information for obtaining full VPN access into the system that supports the road tollways. The e-mail included information about the VPN software, usernames, and passwords.
One e-mail contained contracts for oil barrel sales from the Middle East to large oil firms; another contained a daily report from a large oil firm detailing the contents of all of its tankers that day. A third e-mail included ECOLAB reports for a popular restaurant, including information about problems the restaurant was having with mice. ECOLAB is a Minnesota-based firm that provides sanitizing and food safety products and services to companies.
Company information wasn’t the only data at risk of interception. The researchers were also able to gather a wealth of employee personal data, including credit card statements and information that would help someone access an employee’s online bank accounts…
Kim said that out of the 30 doppelganger domains they set up, only one company noticed when they registered the domain and came after them threatening a lawsuit unless they released ownership of it, which they did. He also said that out of the 120,000 e-mails that people had mistakenly sent to their doppelganger domains, only two senders indicated they were aware of the mistake.
Sad thing is – this ain’t anything new. Keeping an eye out for typo-squatters is something a security conscious IT department includes in their daily repertoire.
I discussed this with my favorite banking IT person and they made the point that a significant number of users don’t comprehend the difference between an intranet and the Internet. They’re liable to send confidential info in an unencrypted email because it’s just a “casual” request from someone else who works for the same firm. Filtering for sensitive topics is a necessity – requiring a live human being to peer at content and address before releasing a questionable email into the wild.