Researchers’ Typosquatting Stole 20 GB of E-Mail From Fortune 500

Found on Wired on Friday, 09 September 2011
Browse Internet

The intercepted correspondence included employee usernames and passwords, sensitive security information about the configuration of corporate network architecture that would be useful to hackers, affidavits and other documents related to litigation in which the companies were embroiled, and trade secrets, such as contracts for business transactions.

The researchers also discovered that a number of doppelganger domains had already been registered for some of the largest companies in the U.S. by entities that appeared to be based in China, suggesting that snoops may already be using such accounts to intercept valuable corporate communications.

Someone whose registration data suggests he’s in China registered kscisco.com, a doppelganger for ks.cisco.com. Another user who appeared to be in China registered nayahoo.com – a variant of the legitimate na.yahoo.com (a subdomain for Yahoo in Namibia).

Technically it's not really stealing; the sender just typed in the wrong address. Actually, it's more interesting that apparently hundreds of thousands of users still type in email address. Companies can easily deal with mislabeled outgoing emails: they just need to add those doppelganger domains with a catchall to their outgoing mailservers. The majority of mailservers will check if they have the recipient domain locally configured before doing MX lookups. That way corporations can siphon off those emails before they leave their network and teach the sender how to correctly send an email.