Typo-Domains Pose an Email Security Threat: Users Also Mistype Domains in Email Addresses

Companies and political organizations should put more effort into registering mis-typed versions of their primary domain, not only to protect visitors to their Web sites but also to prevent e-mails from accidentally leaking out, a security researcher said on Wednesday.

As part of his investigation, Friedrichs registered 124 domains consisting of common misspellings of the primary domains of candidates in the U.S. presidential election. In a strictly controlled experiment, Friedrichs used a mail server to count the number of e-mail messages sent to the misspelled domains, finding 1,121 connection attempts from 12 distinct IP addresses in a 24-hour period. Friedrichs stressed that he did not look at the e-mails and bounced the messages back to the sender to let them know they had misspelled the address.

"It is not clear what is going on here," Friedrichs told attendees. "But if someone sends an e-mail to that company, and makes a typo, the owner of the (fraudulent) domain is going to get the information."

Typosquatting has generally been considered more of a nuisance than a security threat. In 2003, VeriSign caused a stir when it started redirecting queries for nonexistent domain names, likely due to misspellings, to a page controlled by the company. Frausters frequently use domain names that have spellings close to that of a major brand to fool potential victims into believing that the fake site is legitimate.

More here and here.

Typosquatting, the registering of common misspellings of domain names, could be used by rivals in election campaigns as well as competing companies as a way of advertising to rivals' customers, Oliver Friedrichs, the director of emerging technologies at security firm Symantec, told attendees at the Black Hat DC 2008 security conference. (Symantec is the owner of SecurityFocus.) An investigation of the common misspellings of two defense contractors' names uncovered typosquatted domains registered in China and India, he said. While the domain registered in India did not have a Web server or mail server handling traffic to the misspelled domain, a mail server was set to receive e-mail sent to the domain registered in China.

"It is not clear what is going on here," Friedrichs told attendees. "But if someone sends an e-mail to that company, and makes a typo, the owner of the (fraudulent) domain is going to get the information."

As part of his investigation, Friedrichs registered 124 domains consisting of common misspellings of the primary domains of candidates in the U.S. presidential election. In a strictly controlled experiment, Friedrichs used a mail server to count the number of e-mail messages sent to the misspelled domains, finding 1,121 connection attempts from 12 distinct IP addresses in a 24-hour period. Friedrichs stressed that he did not look at the e-mails and bounced the messages back to the sender to let them know they had misspelled the address.

Typosquatting has generally been considered more of a nuisance than a security threat. In 2003, VeriSign caused a stir when it started redirecting queries for nonexistent domain names, likely due to misspellings, to a page controlled by the company. Frausters frequently use domain names that have spellings close to that of a major brand to fool potential victims into believing that the fake site is legitimate.

E-mail servers set up to server misspelled domain names could allow targeted e-mail attacks to be more convincing and could capture sensitive e-mail messages sent to a misspelled address, Friedrichs said.