Typosquatting is a type of misspelling technique that has been spreading for years. A cybercriminal will intentionally register a domain name that closely resembles a well known website, in order to take advantage of common typo’s by internet users. Users who unknowingly type in a typosquatted domain, will end up at an entirely different site. The site may be full of advertisement links, or worse it may be an exact copy of the real deal, designed to lure passwords or credit card details from unsuspected users.
A typosquatter thus takes advantage of users who mistakenly enter misspelled domain names when they want to go to webpages or send emails.
Security consultancy Godai Group recently uncovered the use of a specific type of typosquat, and has named this a “doppelganger domain”. It is designed to collect confidential information via email-based attacks. A doppelganger domain is not misspelled. Instead it is missing a dot between the subdomain and domain. An example would be “mailyahoo.com” which targets Yahoo’s mail service “mail.yahoo.com.” The researchers found that 30% of the Fortune 500 (or 151 corporations) were susceptible to doppelganger domain-based attacks.
To demonstrate just how vulnerable companies are, the researchers bought 30 doppelganger domains relating to Fortune 500 companies. Over six months, over 120,000 individual emails (and 20 gigabytes of data) were captured by these domains along with sensitive information, such as trade secrets, business invoices, employee login credentials, network diagrams, etc. The information was collected through a passive attack, where the cybercriminal configures an email server to catch all email addressed to the typosquatted domain.
After reviewing the WHOIS information, Godai Group note that many doppelganger domains are registered to locations in China. Many of these domains are already associated with malware and phishing, it warns.
How to address the security risk posed by doppelganger domains?
Corporations can obviously purchase the relevant domain namess in a preemptive move, or if already taken by a third party, file a domain dispute.
Alternatively, internal users can be prevented from sending mistyped emails to doppelganger domains by either configuring internal DNS not to resolve doppelganger domains, or configuring email servers not to send messages to such domains.
Whole report: http://godaigroup.net/publications/doppelganger-domains