View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 12, 2011

Typo errors in email addresses could land corporates in hackers’ net

Sophos researchers capture 120,000 emails intended for Fortune 500 companies by exploiting a basic typo such as missing dot

By CBR Staff Writer

Basic typo errors in email addresses could be exploited by hackers to gather sensitive information such as trade secrets of corporates, according to computer security company Sophos.

Security researchers found in a probe that cyber thieves could exploit typo errors such as a missing dot in an email address to grab as much as 20GB of data made up of 120,000 wrongly sent messages over a period of six months.

Companies use dots to separate the words in a sub domain. And usually a message bounces to the sender if an address is typed with one of the dots missing. However, researchers managed to net such emails by setting up similar doppelganger domains.

Web consultant Mark Stockley wrote on the blog of Sophos that it is striking that the researchers managed to capture so much information by focusing on just one common mistake.

"A determined attacker with a modest budget could easily afford to buy domains covering a vast range of organisations and typos," he said.
The company revealed that researchers have captured 120,000 emails intended for Fortune 500 companies by exploiting a basic typo. The emails included trade secrets, business invoices, personal information about employees, network diagrams and passwords.

Researchers Peter Kim and Garrett Gee did this by buying 30 Internet domains they thought people would send emails to by accident. The practice is known as typosquatting said Stockley.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The domain names they chose were all identical to subdomains used by Fortune 500 companies – including Dell, Microsoft, Halliburton, PepsiCo and Nike — save for a missing dot. Users mistakenly sent them over 120,000 emails in six months.

Stockley revealed that emails thus collected included "some worryingly sensitive corporate information, including: passwords for an IT firm’s external Cisco routers; precise details of the contents of a large oil company’s oil tankers; and VPN details and passwords for a system managing road tollways."

The researchers warn that such typosquatting could be easily turned into an even more dangerous man-in-the-middle attack. Such an attack would have allowed them to capture entire email conversations rather than just individual stray emails, said Stockley.

He said, "To perform a man-in-the-middle attack an attacker would simply forward copies of any emails they receive to the addresses they were supposed to go to in the first place. The forwarded emails would be modified to contain a bogus return addresses owned by the attacker."

"By forwarding and modifying emails in this way the attacker establishes themselves as a silent rely between all the individuals in the conversation."

Last month, security firm F-Secure revealed that hackers used a targeted ‘job offer’ email to EMC employees to breach the security of RSA to steal military secrets from US arms supplier Lockheed-Martin earlier this year.

The hack attack on EMC-owned RSA in March is considered to be one of the biggest hacks in history.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.