Typo-squatting domains can harvest corporate emails Typo-squatting domains might easily be used to intercept misdirected corporate emails, according to new research. Domain typo‐squatting has long been used as a means to expose butter-fingered users who accidentally misspell a legitimate domain to malware. So-called doppelganger domains take advantage of an omission instead of …
I could in theory, but it won't in practice, because few will use encrypted emails and these users will only be able to talk to each other and not those who don't use encryption. Bit like asking everyone to learn and talk Esperanto, a great idea, but highly impractical. Also even if everyone did upgrade to compatible encryption, you then have the same problem with typo-squat domains issuing look alike crypto key identities, and even if you use DNSSEC to validate these domains and keys, the typo squat domains will still validate using a near identical chain. The fact that joe@micorsoft.com is a different identity to joe@microsoft.com will simply shift the problem of getting the email address right to one of getting the key identity right.
re: Cormu. Only if the encryption is very strong, and is unique to each email message, otherwise, once a senders encryption is broken, all of their future email is readable.
This has been an issue since 1988 or earlier. It also demonstrates that the extra text stuffed into every corporate email message admonishing recipients that if they weren't the intended recipient they have to report the receipt and delete the message... are a waste of time.
>This has been an issue since 1988 or earlier. I
Try 1944 or earlier - it's the method used to break Enigma & similar
>it also demonstrates that the extra text stuffed into every corporate email message admonishing recipients that if they weren't the intended recipient they have to report the receipt and delete the message... are a waste of time.
Yup - on both sides, in many different ways. But I won't open that can of worms (hah!) here, just acknowledge that it exists..
Yes, indeed. The company I used to work for ran a web site on a server which came with email reception switched on "for free". After running some tests with the MX records for one of the domain names we didn't normally use, I noticed e-mails of a distinclty legal and confidential variety arriving. Turns out that there is a law firm in London with a name composed of two surnames which are very similar to the surnames that made up our company name. There was a difference of only two characters being swapped. I killed the MX records and forwarded the emails to the correct recipient explaining what had happened and suggesting they might like to warn their clients to be more careful. They never replied.
Picked a likely name for a blog, set up a site, all mail forward to my regular address.
First day got thousands of emails from servers all over the planet. Turns out some enterprise server backup vendor had mistyped the domain name to send the backup logs to in their example configuration. And end users were using it unmodified. Awkward.
I bought a domain with the same name as our local council, except that mine was the .org.uk and theirs was the .gov.uk - and discovered that some council employees did not know their own domain name. They even printed a booklet for council tenants with an email address repairs@ my domain so I started to get requests to go round and fix the odd dripping tap. (I did forward these on.)
Reminds me of my previous life in the aerospace industry.
Our company and their genius IT guys did what they could to keep the exchange servers online so it wasn't a surprise that our e-mails would always contain a disclaimer about the contents of the message and no delivery guarantee.
Now I can agree the masses won't use encrypted e-mail but for corporate america it's a no brainer. There is no guessing with delivery (even with un-encrypted e-mail) however it is possible for spam filters to get in the way of things.
There was no reason for us to use plain text or html e-mail. It also may of been helpful to have some shredders around and not use the waste can for e-mails we printed.
But I wasn't a decision maker and while im out of that world im sure it hasn't changed all that much. When things fall apart don't worry because SMB will take the blow while the big fish continue to muck up the waters.
Create a typo-squatter style domain and wait for first mis-addressed email to come in. Create a second typo-squatter domain very similar to that of the sender. Proceed as man-in-the-middle forwarding on the emails but 'from' your typo-squatter domains. The correspondents might send a whole series of emails before they twig what is happening. Mwahaha!
We have typosquatters doing this with our web site addresses, email domains, and even having bogus ssh servers to catch out server admins (our internal network is routeable). The latter is no use to them though as we use 2-factor auth :).
With the email domains, our outbound gateway specifically catches the typo domains and auto-corrects them, re-routing the email to the correct place, preventing the opportunists from harvesting internal stuff at least.
Anon because, well, we like you to think we're secure.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
