Typosquatting: One Typo Can Create Online Security Breach

Typosquatting is a looming problem for the email security of major….

Wait a minute. Typo-what?

Typosquatting is the practice of grabbing up Internet names that are very close to other, widely-used ones, and it’s been done for years.  (If a politician starts a campaign website — say, JohnDoe.com — he’d better register JohnDoeStinks.com before an opponent does.)

Researchers Peter Kim and Garrett Gee tried something slightly different. They bought 30 Internet addresses that were close to the names of major Fortune 500 companies — addresses only slightly different from what those companies might use for internal business or their overseas subsidiaries. For instance, knowing that Dell, the computer maker, does business in China, they say they could easily have bought http://chndell.com. That would be a big deal to the company if its Chinese website was http://chn.dell.com. Note the difference — nothing more than a single dot.

Having done this bit of typosquatting, the researchers report, they they set up bare-bones websites at those addresses, then sat back and watched for six months — while people mistakenly sent them 120,000 emails. Many of them included trade secrets, passwords, and personal information about employees.

The Dell example, they take pains to say, is fictitious, but the 120,000 emails, with 20 GB of data, were not. Presumably, people were trying to send emails to the companies Gee and Kim watched, and making tiny typos with big consequences.

“Each company in the Fortune 500 was profiled for susceptibility to Doppelganger Domains and 151 companies (or 30%) were found to be susceptible,” they report. “In large corporations, email usage is extremely high which dramatically increases the likelihood of mis-sent emails and data leakage.”

The security firm Sophos took note of the report this morning and reminded companies to use passwords, encryption, etc.  They also suggested that companies buy up the most common misspellings of their online addresses. But it conceded you can’t stop people from making typos.

Gee and Kim run a small information security firm called Godai Group, and they cheerfully offer to help firms close the loophole they found. But if they uncovered that one, what else is out there?