How 'doppelganger domains' steal data from e-mail

Mistyping an e-mail address could result in something a lot more serious than a bounce-back. It could send your information to a phony domain set up just for the purpose of taking advantage of typos, according to a new research paper

Researchers from the Godai Group set up what are called doppelganger domains — close imitations of legitimate domains — for all Fortune 500 companies, then sat back for six months to see what they would get.

In all, the researchers report, 151 of the companies were vulnerable to having e-mail misdirected. And in that six-month period, they collected 120,000 e-mails amounting to 20G of data, including trade secrets, business invoices, employees’ personal information, network diagrams, user names and passwords.


Related coverage:

How to counter sophisticated cyberattacks: Focus on the basics


“Essentially, a simple mistype of the destination domain could send anything that is sent over e-mail to an unintended destination,” write the researchers, Peter Kim and Garrett Gee.

Doppelganger domains are spelled the same as legitimate domains but are missing the dot between a subdomain and a domain, the researchers write. The 151 vulnerable companies use subdomains.

For example, windowsmicrosoft.com would be a doppelganger for windows.microsoft.com. E-mails directed to that domain but missing the period would be routed to the doppelganger site, potentially for malicious use. The attackers could then  cover their tracks by redirecting the e-mail to the legitimate domain.

Likewise, malicious e-mails could be sent from a doppelganger domain with the expectation that some users wouldn’t notice the missing dot and open the e-mail.

The research focused on Fortune 500 companies, but the vulnerability would apply to any organization that uses subdomains.

The general practice isn’t all that new, the researchers write. Domain typo-squatting — setting up domains based on expected misspellings — has been used to spread malware before. But using doppelgangers based on an omitted dot is a fairly new approach, though some operations appear to be employing it.

During the course of their research, Kim and Gee write, they found that some doppelganger domains for Fortune 500 companies had already been registered to locations in China, in addition to sites known for phishing and malware distribution.

“Twenty gigs of data is a lot of data in six months of really doing nothing,” Kim told Kim Zetter of Wired. “And nobody knows this is happening.”

Among the data collected in the e-mails, Wired reported, were configuration details and passwords for an IT consulting firm’s routers and virtual private network access information for a company that manages toll roads. They also collected a lot of personal information on employees, including credit card statements and bank account records.

The researchers’ paper recommended several steps for mitigating such attacks, including buying the doppelganger domains and configuring Domain Name System servers to stop outgoing e-mail from going to doppelganger domains.

They also advised vulnerable organizations to alert users, customers and business partners about the potential threat. “The more awareness they have on social engineering attacks, the less susceptible they will be,” they write.

Reader Comments

Mon, Sep 12, 2011 Gary webdomaininvesting.com

The GodaiGroup report also illustrates the man-in-the-mailbox scenario, whereby doppelganger domain urls for both the sending and receiving companies or agencies are used to intercept the communications going both ways. Who knows what havoc could result from a malevolent middleman modifying the e-mails themselves to ruin business and personal relationships, change quotes or invoices, or insert extraneous information. The report also lists some of the actual doppelganger domains showing the registrants to be from Chinese networks known for hosting malware and phishing sites.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above