"Typesquatters" collected 20 GB of someone else's correspondence
Two researchers from Godai Group decided to set up an experiment and check how much private information can be collected if you register domains with typos and pick up mail servers on them. It turned out that this technique is extremely effective. For 30 “fake” domains, 20 GB of letters (about 120,000) were sent to Fortune 500 companies in six months. Approximately 1% of these letters contain confidential information - employee logins and passwords, information on transactions, internal investigations and etc.
120 thousand letters - a good result, given the passivity of the method of collection and absolute secrecy. For six months, no one noticed.
The researchers found that the possibility of registering a domain without a dot exists for 30% of large companies, given their subdomains to which mail is addressed. Some corporations have 60 sub-domains, that is, they are especially vulnerable. If a company has a large flow of letters via internal mail, then some will probably get to the wrong address. For example, on @ seibm.com instead of @ se.ibm.com (IBM's Swedish division) or @ ausintel.com instead of @ aus.intel.com.
In six months, about 120,000 letters were received on 30 domains. Searching for specific keywords gave the following result:
It is possible that the collection of someone else's corporate mail in this way is already being done. Researchers have discovered that a number of Taiwanese domains for some of the largest companies are already registered by the Chinese or to suspicious emails. This may well be part of an industrial espionage system.
Experiment Results (PDF)
120 thousand letters - a good result, given the passivity of the method of collection and absolute secrecy. For six months, no one noticed.
The researchers found that the possibility of registering a domain without a dot exists for 30% of large companies, given their subdomains to which mail is addressed. Some corporations have 60 sub-domains, that is, they are especially vulnerable. If a company has a large flow of letters via internal mail, then some will probably get to the wrong address. For example, on @ seibm.com instead of @ se.ibm.com (IBM's Swedish division) or @ ausintel.com instead of @ aus.intel.com.
In six months, about 120,000 letters were received on 30 domains. Searching for specific keywords gave the following result:
| Keyword | Number of letters |
| Investigation | 350 |
| Secret | 425 |
| Unclassified | 106 |
| Credit card | 402 |
| Private | 394 |
| Userid | 225 |
| Password | 405 |
| Login | 495 |
| Confidentiality | 374 |
| VPN | 75 |
| Router | 163 |
| Contract | 417 |
| Affidavits | 34 |
| Invoice | 323 |
| Resume | 275 |
| purpose | Domain Double | Owner's mailing address |
| adp.com | cnadp.com | adp@vip.163.com |
| cisco.com | kscisco.com | domainadm@hichina.com |
| dell.com | chndell.com | gdguy@163.com |
| dupont.com | sydupont.com | syxxhw@163.com |
| gm.com | ucgm.com | zydoor@126.com |
| hp.com | chehp.com | 59031894@qq.com |
| ibm.com | caibm.com | 604732486@qq.com |
| ibm.com | seibm.com | fjjclaw@263.net |
| intel.com | ausintel.com | nheras@gmail.com |
| itt.com | cnitt.com | dulingqun@sina.com |
| kohls.com | emailkohls.com | bridgeportltd@gmail.com |
| manpower.com | demanpower.com | tzstudent@163.com |
| mcd.com | cnmcd.com | 617388068@qq.com |
| yahoo.com | nayahoo.com | xxxxxx_vip@yahoo.com.cn |
| unisys.com | caunisys.com | domainadm@hichina.com |
')
Source: https://habr.com/ru/post/128167/
All Articles