Typosquatting-Use of Doppelganger Domains to steal data

We often mistype domain names when we are searching the web or trying to access a website. For e.g. we type instead of gmail.com, we may type gamil.com or icicibank can be typed as icici bank. Researchers have now shown that by creating ‘doppelganger’ (German origin-meaning duplicate or double) domains it is possible to steal information. A extract of the article has been included here.

Two researchers who set up doppelganger domains to mimic legitimate domains belonging to Fortune 500 companies say they managed to vacuum up 20 gigabytes of misaddressed e-mail over six months.
The intercepted correspondence included employee usernames and passwords, sensitive security information about the configuration of corporate network architecture that would be useful to hackers, affidavits and other documents related to litigation in which the companies were embroiled, and trade secrets, such as contracts for business transactions.

Doppelganger domains are ones that are spelled almost identically to legitimate domains, but differ slightly, such as a missing period separating a subdomain name from a primary domain name – as in the case of seibm.com as opposed to the real se.ibm.com domain that IBM uses for its division in Sweden.

It was found that 30 percent, or 151, of Fortune 500 companies were potentially vulnerable to having e-mail intercepted by such schemes, including top companies in consumer products, technology, banking, internet communication, media, aerospace, defense, and computer security. The researchers also discovered that a number of doppelganger domains had already been registered for some of the largest companies in the U.S. by entities that appeared to be based in China, suggesting that snoops may already be using such accounts to intercept valuable corporate communications.

Companies that use subdomains — for example, for divisions of the firm located in different countries – are vulnerable to such interception and can have their mail intercepted when users mistype a recipient’s e-mail address. All an attacker has to do is register a doppelganger domain and configure an e-mail server to be a catch-all to receive correspondence addressed to anyone at that domain. The attacker relies on the fact that users will always mistype a certain percentage of e-mails they send.

To test the vulnerability, the researchers set up 30 doppelganger accounts for various firms and found that the accounts attracted 120,000 e-mails in the six-month testing period. The e-mails they collected included one that listed the full configuration details for the external Cisco routers of a large IT consulting firm, along with passwords for accessing the devices. Another e-mail going to a company outside the U.S. that manages motorway toll systems provided information for obtaining full VPN access into the system that supports the road tollways. The e-mail included information about the VPN software, usernames, and passwords. The researchers also collected an assortment of invoices, contracts and reports in their stash. One e-mail contained contracts for oil barrel sales from the Middle East to large oil firms; another contained a daily report from a large oil firm detailing the contents of all of its tankers that day.

Company information wasn’t the only data at risk of interception. The researchers were also able to gather a wealth of employee personal data, including credit card statements and information that would help someone access an employee’s online bank accounts.

All of this information was obtained passively by simply setting up a doppelganger domain and e-mail server. But someone could also do a more active man-in-the-middle attack between entities at two companies known to be corresponding. The attacker could set up doppelganger domains for both entities and wait for mistyped correspondence to come in to the doppelganger server, then set up a script to forward that e-mail to the rightful recipient.

For example, the attacker could purchase doppelganger domains for uscompany.com and usbank.com. When someone from us.company.com mistyped an e-mail addressed to usbank.com instead of us.bank.com, the attacker would receive it, then forward it on to us.bank.com. As long as the recipient didn’t notice the e-mail came from the wrong address, he would reply back to it, sending his reply to the attacker’s uscompany.com doppelganger domain. The attacker’s script would then forward the correspondence to the correct account at us.company.com.

Some companies protect themselves from doppelganger mischief by buying up commonly mistyped variations of their domain names or having identity management companies buy the names for them. But the researchers found that many large companies that use subdomains had failed to protect themselves in this way. And as they saw, in the case of some companies, doppelganger domains had already been snatched up by entities who all appeared to be in China – some of whom could be traced to past malicious behavior through e-mail accounts they had used before.

Some of the companies whose doppelganger domains have already been taken by entities in China included Cisco, Dell, HP, IBM, Intel, Yahoo and Manpower. For example, someone whose registration data suggests he’s in China registered kscisco.com, a doppelganger for ks.cisco.com. Another user who appeared to be in China registered nayahoo.com – a variant of the legitimate na.yahoo.com (a subdomain for Yahoo in Namibia).

Companies can mitigate the issue by buying up any doppelganger domains that are still available for their company. But in the case of domains that may already have been purchased by outsiders, it is recommended that companies configure their networks to block DNS and internal e-mails sent by employees that might get incorrectly addressed to the doppelganger domains. This won’t prevent someone from intercepting e-mail that outsiders send to the doppelganger domains, but at least it will cut down on the amount of e-mail the intruders might grab.

Comments are closed.