Domain Typos are Security Loopholes

People love finding the complicated ways by which things go wrong. Audacious frauds, complex exploits, elaborate leakages – people love to find them and show off that they found them. But if you have read my blog long enough, you would know that I love finding the really simple things that go wrong. Why? (1) They are simple, which makes them easy to understand, even for CEOs. (2) They still can have devastating consequences. Simple ways of losing lots of money are a great way to explain why businesses need to rethink how they work. You can sell software and consulting off the back of the incredibly intricate, but simple goofs are simple goofs, and can only be solved by making the goof impossible. This underpins the value of designing things to be foolproof. Like it not, foolproofing pays off because… well… some of the people your company employs are… fools. Try not to let them wreck your business. Putting the dot in the wrong place when entering a new tariff rate, leaving commercial secrets in plain view of anyone walking past a desk, taking orders without getting all the information needed to satisfy them – these are stupid but painful and common ways of hurting a business. So it comes as no great surprise to find out that a serious security weakness might result from a humble typo. The Godai Group investigated “domain doppelgangers”. Put simply, people sometimes mistype a domain name and hence send an email to the wrong address. The owners of the doppelganger domain will have registered a domain with one character different from the real corporate domain. Perhaps they just exclude a dot from a subdomain address. Every time somebody makes the relevant typo, they send the email to the criminal who owns the doppelganger domain. And if the criminal forwards the email to the right address, nobody will notice that confidences have been compromised. Godai Group identified that 30% of Fortune 500 companies are vulnerable to doppelganger domains. By using the technique, Godai Group was able to obtain an astonishing 120,000 corporate emails over a 6-month period. To download the full report on what they did and how to counter it, click here. I recommend you do. The attack they simulated may not be clever, but it was big.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.