How you can protect yourself against mail being intercepted by a fake domain
The Godai Group have made a big splash with their report on ‘doppleganger domains’ that can spy on emails to and from an organization, but what can Outlook users do about it?
What is a Doppleganger domain?
It’s a domain name similar to that of an organizations main domain, used for trapping emails sent to a mistyped domain name in the email address.
This can happen when there are sub-domains, usually regional, for a large company.
For example a message to fred@us.company.com is mistyped and goes to fred@uscompany.com instead. A clever hacker has registered uscompany.com and reads the message.
So far, it’s the email equivalent of posting a letter to the wrong address, then being opened and read.
Here’s where the hackers get sneaky. Instead of just reading the message they pass a copy along to the intended recipient [email protected] so Fred and the company are none the wiser that the message has been intercepted.
Because the message arrived, the sender continues to use the mistyped address in future emails as he/she replies to messages in the same thread with the same incorrect address. That mistyped address can spread to other people via forwarded messages meaning that more and more messages for [email protected] can be read by hackers.
As we’ll see below, Outlook can help spread mistyped email addresses.
This isn’t a small problem. Godai Group in their report say they collected over 120,000 messages in six months using this method. The messages weren’t all people arranging a lunch, Godai reports having messages containing “trade secrets, business invoices, employee PII, network diagrams, usernames and passwords, etc.”
And they have examples of this happening already with domains registered to locations in China and elsewhere based on the name of companies like Cisco, Dell, GM, IBM (twice) and Yahoo.
Typo-squatting, as it is known, isn’t new. Hackers have commonly used fake domains to trap people with their phishing scams – witness the many domains in spam emails that have variations on ‘paypal’ or ‘citibank’ in the links they want you to click. However this uses email traps not browser links.
What can YOU do?
Outlook has one feature which lets mistyped domains continue beyond the original mistake.
AutoComplete
The AutoComplete feature gives you a drop down list of addresses you have used in the past. This list is NOT linked to your Contacts list, so updating an email address for the contact won’t change the one most people use in the AutoComplete list. We talked about this back in 2009 Why doesn’t an Outlook change of address stick? “Autocomplete is so useful and quick, it’s easy to forget the downside.”
If you mistype an email address in Outlook – eg [email protected] that mistake will keep showing up until you delete it. Do that by using the down and up arrow keys to highlight the outdated AutoComplete entry then press Delete to get rid of it. In Outlook 2010 they’ve made this obvious by putting an X on each line for you to click.
It’s amazing what information people will send in clear, unencrypted, emails. It’s easy to forget that messages are ‘in the clear’ and can be read by hackers. Don’t send passwords, login details, credit card info, bank account details in emails.
There is an alternative – digitally signed and encrypted emails. They are complicated so we’ve written a clear simple guide to secure Outlook emails in our ebook Privacy and Security in Microsoft Office.
The best protection is, as always, to be careful. Watch email addresses to make sure they are correct the first time you type them.
What to do?
Godai have some preventative measures for network administrators.
Godais suggestions include:
Register domain names that might be used for typo-squatting.Some companies already do that. If you type amazn.com you’ll reach amazon.com because Amazon registered their mistyped name long ago. We suspect the idea of registering similar sub-domains has been overlooked in many IT departments.
Watch domain registrationsKeep a track on domain name registrations and lodge a Uniform Domain Dispute Resolution Policy if a new registration appears to be a problem.
Trap doppelganger domains in-houseMaintain a list of possible domain types and configure in house DNS and email systems to not recognize those domains. This can be done in Exchange Server.
This only works if you have a good list of possible mistyped domain names.
