Research from M86 Security and Godai Group highlights the importance of typing correct domain names when sending emails and surfing the Web.
Typosquatting is a widespread problem
on the Web, as scammers register domains similar to popular Websites to trick
users who accidentally mistype a domain name. Several recent Web security
studies suggest that Internet users need to be more careful about their typing
to avoid Web scams and getting compromised by malicious sites.
Researchers at the security consultancy
Godai Group set up domain names that were variations of legitimate Websites
belonging to Fortune 500 companies. Over the course of six months, the
researchers collected more than 120,000 individual emails containing trade
secrets, business invoices, employee personal identification information,
network diagrams, usernames and passwords, the researchers said in a report
released Sept. 6.
The domains used in the research were
not misspelled, but were missing the "dot" between the subdomain and
the domain in the address. For example, Yahoo uses "mail.yahoo.com"
for its mail service. A doppelganger domain would be "mailyahoo.com"
The attacker would purchase the
doppelganger domain and configure an email server as a catch-all account to
receive all messages to that domain, regardless of the username that the
message is addressed to. People often mistype email addresses when sending out
messages, and attackers rely on this natural human error to collect sensitive
information, the researchers wrote.
"Essentially, a simple mistype of
the destination domain could send anything that is sent over email to an
unintended destination," the authors wrote in the report.
About 30 percent, or 151, of the
Fortune 500 companies the researchers analyzed were susceptible to this kind of
man-in-the-mailbox attack, the report said. Researchers Peter Kim and Garrett
Gee recommended that organizations buy doppelganger domains as a preventive
measure against these kinds of attacks.
In fact, researchers discovered that
some of the largest companies already had doppelganger domains registered to
locations in China and to domains "associated with malware and phishing."
Some examples included Cisco, Dell and Yahoo.
"If in six months we were able to
collect 20 gigabytes of data, imagine what a malicious attacker could
gain," the researchers wrote.
In another example of typosquatting,
M86 Security researchers found domains with URLs like YoutTube.com (an extra "t")
redirect unsuspecting users to an online survey site, such as
videorewardsonline.com, Rodel Mendrez, a researcher at M86 Security, wrote on
the company blog Sept. 8. The survey site looks like a YouTube site, with
similar fonts and logos. There has been a "rapid spike in traffic" to
the survey site recently, most likely as a result of traffic from typosquatted
domains, Mendrez speculated.
The malicious site uses IP address
geolocation to create localized versions for users and requires users to
participate by entering an email address and mobile phone number, Mendrez said.
The main purpose of the survey is to get people to subscribe to an
auto-renewing prime-rate SMS subscription service, he found.
Similarly, researchers at Avast
Software found that scammers are disguising malicious files by changing file
extensions to look innocuous. The "Unitix" technique
changes malicious Windows
executable files (.exe) into benign graphic images or Word documents by means
of a hidden Unicode entry, Avast said.
Unicode is an industry standard in how
text is represented using alphanumeric codes and can be used to display
languages not based on the Roman alphabet. It can also be used for scripts that
go right to left, such as Arabic and Hebrew.
Scammers use a specific Unicode to
force the system to read the filename from right to left, Avast said. For
example, the hidden code could be used to disguise a malicious file
"gpj.exe" to be part of a photo file that ends with "exe.jpg."
It looks like a photo file because of the .jpg extension, but when it's
accessed, the computer sees the Unicode and reads it in reverse, running the
file as an executable instead, Avast said.