New domains open new targets for doppelgangers, typo squatters
- By William Jackson
- Sep 16, 2011
The professional services firm Godai Group generated a lot of attention recently when it reported that it had been able to use a specific kind of domain typo-squatting to passively collect 20G of “interesting” data from Fortune 500 companies through misaddressed e-mails.
The company coined a name for the typo, doppelganger, which is the omission of a dot between a subdomain and the domain. This omission can turn the legitimate domain “us.company.com,” for example, into the completely new domain “uscompany.com,” which could be registered and exploited by a bad guy.
Godai Group came up with a way to do a man-in-the-middle e-mail attack by registering two doppelganger domains and then intercepting and forwarding any misdirected e-mail between the two. With a large enough volume of e-mail, it is likely that some misdirected e-mail eventually would come through to the doppelganger accounts, giving the bad guy a foothold.
How 'doppelganger domains' steal data from e-mail
ICANN approves plan to add brand-name domains
This is only the latest in a long history of domain games played by hackers, hacktivists and criminals, and the opportunities for problems are only likely to get worse as the number of available generic top-level domains expands.
A domain name not only is an online brand name, such as gcn.com, that can be valuable in its own right, but also is used by the Internet’s Domain Name System to direct Web page requests and e-mail. If someone gets ahold of your band name or some variation of it close enough to fool users, they can mess with your reputation, interrupt or intercept your online traffic, and direct users to malicious sites.
The problem is well-known, and the bigger the brand name, the bigger the threat is likely to be. Four years ago, as the run-up to the 2008 presidential election was under way, Oliver Friedrichs, then director of emerging technology at Symantec Security Response, did a study of typo and cousin domains for some of the candidates. Typo domains are just that, a mistyping of a legitimate domain, and a cousin is a variation of a valid domain.
In 2007, Friedrichs found 242 registered typo domains and 2,287 registered cousin domains. Not surprisingly, the front-running candidates were the most frequently targeted. There were 58 Hillary Clinton typo sites registered, and 52 for Barack Obama. There were 566 Clinton cousin domains registered, and 337 Obama cousins. Ron Paul came in third on the cousin list with 276 phony domains registered.
“In analyzing our results, we found that many of the registered websites are registered for the purpose of driving traffic to advertising Web sites,” Friedrichs wrote in the book “Crimeware.” “We see that candidates have not done a good job at protecting themselves by proactively registering typo domains to eliminate potential abuse.”
There are other remedies than proactively registering typo and cousin domains. The Internet Corporation for Assigned Names and Numbers has adopted the Uniform Domain Name Dispute Resolution Policy, under which accredited domain-name registrars will cancel, transfer or change domain registrations that infringe on a third party or have been registered in bad faith or for unlawful purposes.
But with the domain space set to expand in the near future, opportunities for mistakes and misuse are likely to increase. ICANN this summer approved a plan to expand the number of generic top-level domains, which president Rod Beckstrom called “one of the biggest changes ever to the Domain Name System.” The first round of applications will be accepted from Jan. 12 through April 12, 2012. The approval process could take from nine to 20 months, so the first new TLDs probably will not begin appearing after the final dot in URLs until early 2013 at the soonest.
There are rules on registration to protect legitimate domain and trademark owners from domain squatters, so the new TLD space will not be a completely unregulated landscape. But the expansion of the domain space also will expand the opportunity for every trick and flaw in the system that is being exploited now.
The Godai Group paper on doppelgangers offers some tips to domain owners for mitigating attacks that also should work on other types of typos and cousin domains.
But for the foreseeable future, end users clicking links and typing addresses should use caution and double check their typing before hitting “send.”
William Jackson is freelance writer and the author of the CyberEye blog.