Protect your corporate data from email honeypot scam

Researchers found they could collect sensitive corporate email by simply registering domain names that are slightly misspelled

Garrett Gee and Peter Kim at GodaiGroup found that a small investment in time and money could reap unexpected rewards with a simple, low-tech email honeypot technique that involves something they call "Doppelganger Domains."

Over the years there have been many reports of unscrupulous characters registering slightly misspelled domain names. Companies have responded by taking over (or taking back) these domains from so-called "typosquatters." For example, the folks at GoDaddy ensure that godadfy.com gets redirected to godaddy.com. There are numerous websites that will help you generate and look up misspelled versions of your legitimate domain name.

The technique that Gee and Kim used also involves typosquatting, but in a very precise way. They registered 30 domains that differ from legitimate subdomains only by dropping a dot. So, for example, if they found commonly used email addresses at us.somecompany.com, they registered the domain ussomecompany.com, without the intervening dot. Then they simply collected all of the email directed to @ussomecompany.com. After analyzing email that used the domain names of the Fortune 500 companies, they concluded that 151 of those companies are susceptible.

Over the course of six months, they collected 20GB of email -- 120,000 messages. Included in the haul: "trade secrets, business invoices, employee PII, network diagrams, usernames and passwords, etc."

Most frightening, they also found that several of these Doppelganger Domains had already been registered: usintel.com, for example, isn't registered to Intel, it's registered to someone with a Gmail account; demanpower.com isn't registered to manpower.com, it's registered to someone with an email account at 163.com, a site that crops up over and over again in malware lists.

If your company uses subdomains for email addresses, it would be well worth your while to take a look at the report, and perhaps take advantage of the authors' offer to perform a free domain scan to see if your domain is vulnerable to this kind of attack. Suffice it to say that if your company uses any subdomains for email addresses, your domain is most certainly vulnerable.


nb : images.infoworld