Typosquatting is a type of cybersquatting where cybercriminals register a domain name that closely resembles a well-known site or brand, often taking advantage of common typos people make while typing in URLs. Once a user unknowingly types in a typosquatted domain or uses a typosquatted domain in an email address, unintended events begin to happen.
Security consultancy Godai Group recently uncovered the use of specific type of typosquat – a “doppelganger domain” – to collect sensitive enterprise information via email-based attacks. A doppelganger domain is one that is not misspelled, but instead is missing a dot between the subdomain and domain. An example would be “mailyahoo.com,” which targets Yahoo!’s popular mail service “mail.yahoo.com.” The researchers found that 30% of the Fortune 500 (or 151 corporations) were susceptible to doppelganger domain-based attacks.
To demonstrate just how vulnerable companies are, the researchers bought 30 doppelganger domains relating to Fortune 500 companies. Over six months, over 120,000 individual emails (and 20 gigabytes of data) were captured by these domains along with sensitive information, such as trade secrets, business invoices, employee login credentials, network diagrams, etc. The information was collected through a passive attack, where the cybercriminal configures an email server to catch all email addressed to the typosquatted domain.
Godai Group also described another type of attack – a Man-in-the-Mailbox attack – which could leverage two doppelganger domains to intercept email communications between two companies. This type of attack would succeed if both email sender and recipient were unaware of the mistyped email domains.
Other recent findings by M86 Security and OpenDNS highlight attacks targeting consumers by leveraging typosquatted domains based on popular websites. M86 Security, for example, discovered at least 15 typosquatted domains targeting YouTube. OpenDNS came across a typosquatted domain targeting Twitter (which was still up at the time of this blog posting). If consumers mistakenly type in one of these typosquatted domains, they would enter either an online survey or dating website carrying the branding – as well as the trust – of the official site. The goal of these sites is to entice users to take a quick survey and provide their credentials in exchange for a prize. In the end, however, consumers often walk away with their credentials stolen, signing up for unwanted services, and possibly even malware on their computer.
So how can brands protect their employees and customers? Here’s a short list of recommendations:
- Proactively register defensive domains: if brands own doppelganger domains and other common misspelled domains names, the risk of these types of attacks is greatly reduced.
- Monitor for typosquatting abuse: brands should continuously monitor newly registered domain names for typo/cybersquatted names targeting their brands. Early detection allows brands to take action before significant damage is done.
- Take quick action: as typosquatted domain names (including doppelganger domains) are confusingly similar to trademarks, brands have good success in recovering these domains, either through cease-and-desist letters or UDRP.
- Educate employees and customers: if both audiences are made aware of these types of attacks which involve sophisticated social engineering techniques, then they will be less susceptible to them. Sending alerts while current attacks are live will help mitigate the impact as well.
- Modify DNS and Email Server configurations: corporations can either configure their internal DNS to not resolve any doppelganger domains or their mail servers to prevent any outbound emails from reaching doppelganger domains.